b'September 2007\nReport No. AUD-07-014\n\n\nIndependent Evaluation of the FDIC\xe2\x80\x99s\nInformation Security Program-2007\n\n\n\n\n            AUDIT REPORT\n\x0c                                                                                                 Report No. AUD-07-014\n                                                                                                        September 2007\n\n\n                                    Independent Evaluation of the FDIC\xe2\x80\x99s Information\n                                    Security Program-2007\n                                    Results of Evaluation\nBackground and Purpose\nof Evaluation                       The FDIC has made significant progress in recent years in addressing the\n                                    information security provisions of FISMA and the National Institute of Standards\nThe FDIC Office of Inspector        and Technology. This progress is noteworthy given the considerable increase in\nGeneral (OIG) contracted with       information-security-related requirements levied on federal agencies. KPMG\nKPMG, LLP (KPMG) to                 found that the FDIC established policies and procedures in substantially all of the\nconduct an independent              security control areas evaluated. In addition, KPMG noted particular strength in\nevaluation of the FDIC\xe2\x80\x99s            the areas of Information Security Governance, Incident Response, and Awareness\ninformation security program        and Training and that additional improvements were underway at the close of the\nand practices pursuant to the       evaluation.\nFederal Information Security\nManagement Act of 2002              These accomplishments are notable. However, as reflected in the table below,\n(FISMA). FISMA requires             KPMG identified a number of information security control deficiencies\nfederal agencies, including the     warranting management attention. Addressing these security control deficiencies\nFDIC, to have an annual             will contribute to the FDIC\xe2\x80\x99s ongoing efforts to achieve reasonable assurance of\nindependent evaluation              adequate security over corporate information resources. KPMG\xe2\x80\x99s report\nperformed of their information      identifies steps that the Corporation can take to strengthen security controls in the\nsecurity program and practices      priority areas of Access Control; Identification and Authentication; Certification,\nand to report the results of the    Accreditation, and Security Assessments; Risk Assessment; Personnel Security;\nevaluation to the Office of         and Audit and Accountability. In many cases, the FDIC was already working to\nManagement and Budget.              improve security controls in these areas during KPMG\xe2\x80\x99s evaluation. The FDIC\n                                    OIG will follow up on the security control deficiencies identified in this report as\nKey to achieving the FDIC\xe2\x80\x99s         part of future FISMA evaluations.\nmission of maintaining stability\nand public confidence in the        KPMG\xe2\x80\x99s Assessment of the FDIC\xe2\x80\x99s Security Program Controls\nnation\xe2\x80\x99s financial system is\nsafeguarding the sensitive                                Control Families Tested        Control Families Tested That\n                                        Control\ninformation it collects and                                That Demonstrated               Warrant Management\n                                         Class\nmanages in its role as federal                                 Effectiveness                      Attention\ndeposit insurer of banks and                          \xe2\x80\xa2 Information Security            \xe2\x80\xa2 Enterprise Architecture\nsavings associations. Ensuring       Program\n                                                        Governance\nthe integrity, availability, and\nconfidentiality of this                               \xe2\x80\xa2 Planning                        \xe2\x80\xa2 Risk Assessment\ninformation in an environment        Management                                         \xe2\x80\xa2 Certification, Accreditation,\nof increasingly sophisticated                                                             and Security Assessments\nsecurity threats requires a\n                                                      \xe2\x80\xa2   Contingency Planning     \xe2\x80\xa2 Physical and Environmental\nstrong, enterprise-wide                               \xe2\x80\xa2   Configuration Management   Protection\ninformation security program.                         \xe2\x80\xa2   Maintenance              \xe2\x80\xa2 Personnel Security\n                                     Operational\n                                                      \xe2\x80\xa2   Incident Response        \xe2\x80\xa2 System and Information\nThe objective of the evaluation                       \xe2\x80\xa2   Awareness and Training     Integrity\nwas to determine the                                                               \xe2\x80\xa2 Media Protection\neffectiveness of the FDIC\xe2\x80\x99s\ninformation security program                                                            \xe2\x80\xa2 Identification and\nand practices, including the                                                              Authentication\n                                     Technical\nFDIC\xe2\x80\x99s compliance with the                                                              \xe2\x80\xa2 Access Control\nFISMA and related information                                                           \xe2\x80\xa2 Audit and Accountability\nsecurity policies, procedures,      Source: KPMG\xe2\x80\x99s 2007 Evaluation of the FDIC\xe2\x80\x99s Information Security Program.\nstandards, and guidelines.\nTo view the full report, go to\nwww.fdicig.gov/2007reports.aspUTH\n\x0cFederal Deposit Insurance Corporation\n3501 Fairfax Drive, Arlington, VA 22226                                           Office of Inspector General\n\n\n\nDATE:                                     September 27, 2007\n\nMEMORANDUM TO:                            Sheila C. Bair, Chairman\n                                          Federal Deposit Insurance Corporation\n\n                                          /Signed/\nFROM:                                     Jon T. Rymer\n                                          Inspector General\n\nSUBJECT:                                  Independent Evaluation of the FDIC\xe2\x80\x99s\n                                          Information Security Program\xe2\x80\x942007\n                                          (Report No. AUD-07-014)\n\n\nAttached is a copy of the subject report prepared by KPMG, LLP (KPMG) under contract with\nthe Office of Inspector General (OIG). Please refer to the Executive Summary for the overall\nresults.\n\nThe OIG provided you, the Chief Operating Officer, and Chief Financial Officer with a draft\ncopy of this report on September 14, 2007. Because the report contains no recommendations, no\nwritten response was required from the Corporation. However, KPMG did consider and address,\nas appropriate, informal comments provided by FDIC officials. In response to a request from the\nOffice of Management and Budget (OMB), the OIG reported separately on the status of the\nFDIC\xe2\x80\x99s privacy program in its report entitled, Response to Privacy Program Information Request\nin OMB\xe2\x80\x99s Fiscal Year 2007 Reporting Instructions for FISMA and Agency Privacy Management\n(Report No. AUD-07-013, dated September 26, 2007).\n\nThe OIG\xe2\x80\x99s independent security evaluation and privacy program reports, together with the FDIC\nChief Information Officer\xe2\x80\x99s report required by the Federal Information Security Management\nAct of 2002, are due to the OMB by October 1, 2007.\n\nThe 2007 FISMA report will be made publicly available. If you have any questions concerning\nthis report, please contact me at (703) 562-2166 or Russell A. Rau, Assistant Inspector General\nfor Audits, at (703) 562-6350. We appreciate the courtesies extended to the audit staff and\nKPMG during this assignment.\n\nAttachment\n\x0cIndependent Evaluation of the FDIC\xe2\x80\x99s\nInformation Security Program-2007\n\n\nPrepared for the\nFederal Deposit Insurance Corporation\nOffice of Inspector General\nSeptember 26, 2007\n\n\n\n\nKPMG LLP\n2001 M Street, NW\nWashington, DC 20036\n\x0c                                                            Table of Contents\n\nEXECUTIVE SUMMARY .......................................................................................................................... 1\nBACKGROUND .......................................................................................................................................... 4\n  NIST Security Standards and Guidelines.................................................................................................. 5\n  FDIC Systems and Applications ............................................................................................................... 6\n  FDIC Security Governance....................................................................................................................... 7\n  Information Security Program Initiatives ................................................................................................. 8\nRESULTS OF EVALUATION .................................................................................................................... 9\nPROGRAM CONTROLS........................................................................................................................... 11\n  Information Security Governance........................................................................................................... 11\n  Enterprise Architecture (EA) .................................................................................................................. 12\nMANAGEMENT CONTROLS.................................................................................................................. 14\n  Risk Assessment (RA) ............................................................................................................................ 14\n  Planning (PL) .......................................................................................................................................... 15\n  System and Services Acquisition (SA) ................................................................................................... 16\n  Certification, Accreditation, and Security Assessments (CA) ................................................................ 17\nOPERATIONAL CONTROLS .................................................................................................................. 19\n  Physical and Environmental Protection (PE).......................................................................................... 19\n  Personnel Security (PS) .......................................................................................................................... 21\n  Contingency Planning (CP) .................................................................................................................... 23\n  Configuration Management (CM) .......................................................................................................... 24\n  Maintenance (MA).................................................................................................................................. 25\n  System and Information Integrity (SI) .................................................................................................... 26\n  Media Protection (MP) ........................................................................................................................... 27\n  Incident Response (IR) ........................................................................................................................... 28\n  Awareness and Training (AT)................................................................................................................. 29\nTECHNICAL CONTROLS........................................................................................................................ 30\n  Identification and Authentication (IA).................................................................................................... 30\n  Access Control (AC)............................................................................................................................... 32\n  Audit and Accountability (AU)............................................................................................................... 34\n  System and Communications Protection (SC)........................................................................................ 35\n\nAPPENDICIES\nAPPENDIX I \xe2\x80\x93 OBJECTIVE, SCOPE, AND METHODOLOGY ............................................................ 36\nAPPENDIX II \xe2\x80\x93 STATUS OF OIG\xe2\x80\x99S FY2006 FISMA KEY STEPS ....................................................... 44\nAPPENDIX III \xe2\x80\x93 SUMMARY OF CONTROLS TESTED ....................................................................... 45\nAPPENDIX IV \xe2\x80\x93 OMB SECURITY QUESTIONS................................................................................... 51\nAPPENDIX V \xe2\x80\x93 GLOSSARY OF TERMS ............................................................................................... 58\n\nTABLES\nTable 1: The FDIC\'s General Support Systems and Major Applications .................................................... 6\nTable 2: KPMG Assessment of the FDIC\xe2\x80\x99s Security Controls.................................................................. 10\nTable 3: Risk Assessment .......................................................................................................................... 14\nTable 4: Planning ....................................................................................................................................... 15\nTable 5: Certification, Accreditation, and Security Assessments .............................................................. 17\nTable 6: Physical and Environmental Protection ....................................................................................... 19\nTable 7: Personnel Security ....................................................................................................................... 21\nTable 8: FDIC Employee Risk Level Designations................................................................................... 22\nTable 9: Contingency Planning.................................................................................................................. 23\n\x0c                                                          Table of Contents\nTable 10:     Configuration Management ....................................................................................................... 24\nTable 11:     Maintenance............................................................................................................................... 25\nTable 12:     System and Information Integrity .............................................................................................. 26\nTable 13:     Media Protection........................................................................................................................ 27\nTable 14:     Incident Response ...................................................................................................................... 28\nTable 15:     Awareness and Training ............................................................................................................ 29\nTable 16:     Identification and Authentication .............................................................................................. 30\nTable 17:     Access Control........................................................................................................................... 32\nTable 18:     Audit and Accountability........................................................................................................... 34\nTable 19:     Security Control Classes and Families ...................................................................................... 38\n\nFIGURES\nFigure 1: Managing Enterprise Risk (The Framework)............................................................................... 5\nFigure 2: The FDIC\xe2\x80\x99s Information Security Governance ............................................................................ 7\nFigure 3: EA Repository Challenges ......................................................................................................... 12\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036\n\n\n\n\nEXECUTIVE SUMMARY\n\nSeptember 26, 2007\n\nHonorable Jon T. Rymer\nInspector General\nFederal Deposit Insurance Corporation\n3501 Fairfax Drive\nArlington, VA 22226-3500\n\nDear Mr. Rymer:\n\nThis report presents the results of our independent evaluation of the FDIC\xe2\x80\x99s information security program\nand practices. The FDIC Office of Inspector General (OIG) contracted with KPMG to conduct a\nperformance audit of the FDIC\xe2\x80\x99s information security program and practices pursuant to the Federal\nInformation Security Management Act of 2002 (FISMA). We conducted our performance audit in\naccordance with Generally Accepted Government Auditing Standards issued by the Comptroller General\nof the United States. FISMA requires federal agencies, including the FDIC, to have an annual\nindependent evaluation performed of their information security program and practices and to report the\nresults of the evaluation to the Office of Management and Budget (OMB). FISMA requires that the\nindependent evaluation be performed by the agency Inspector General (IG) or an independent external\nauditor as determined by the IG.\n\nThe objective of KPMG\xe2\x80\x99s evaluation was to determine the effectiveness of the FDIC\xe2\x80\x99s information\nsecurity program and practices, including the FDIC\xe2\x80\x99s compliance with FISMA and related information\nsecurity policies, procedures, standards, and guidelines. As part of its work, KPMG prepared responses\nto a series of security-related questions directed to agency IGs in OMB Memorandum M-07-19, FY 2007\nReporting Instructions for the Federal Information Security Management Act and Agency Privacy\nManagement. The responses to OMB\xe2\x80\x99s questions are included in Appendix IV of this report. In addition,\nKPMG briefed the FDIC\xe2\x80\x99s Chief Information Officer and Director, Division of Administration, on the\npreliminary results of the evaluation on September 6, 2007. The purpose of the briefing was to provide\nthese management officials with detailed information to facilitate the FDIC\xe2\x80\x99s ongoing efforts to\nstrengthen its information security program controls. We consider the information provided during the\nbriefing to be sensitive. Accordingly, that information is not included in this publicly available report.\n\nAs our report details, the FDIC continues to make significant progress in improving its information\nsecurity program and practices and in addressing current and emerging information security standards and\nguidelines developed by the National Institute of Standards and Technology (NIST). However, KPMG\nidentified a number of information security control deficiencies warranting management attention.\nAddressing these security control deficiencies will contribute to the FDIC\xe2\x80\x99s ongoing efforts to achieve\nreasonable assurance of adequate security over Corporate information resources. Listed on page 2, in\npriority order, are six steps that the Corporation can take to improve the effectiveness of its information\nsecurity program controls. In many cases, the FDIC was already working to address these steps during\nKPMG\xe2\x80\x99s evaluation.\n\n\n\n                                                                                                    Page 1\n\n                                   KPMG LLP. KPMG LLP, a U.S. limited liability partnership, is\n                                   a member of KPMG International, a Swiss cooperative.\n\x0c(1) Strengthen Access Control by (a) continuing to place priority attention on ongoing efforts to restrict\n    user access to sensitive information stored on the Corporation\xe2\x80\x99s network shared drives, (b) disabling\n    or deleting separated employees\xe2\x80\x99 user account access to applications in a timely manner, and\n    (c) improving the separation of duties among the Windows network administrators.\n\n(2) Strengthen Identification and Authentication controls by ensuring that passwords used to control\n    access to critical information security resources, such as network servers, databases, and applications\n    comply with FDIC policy.\n\n(3) Enhance the effectiveness of the FDIC\xe2\x80\x99s information security vulnerability scanning processes by\n    ensuring that all information technology (IT) equipment connected to the FDIC\xe2\x80\x99s network are\n    routinely scanned with the appropriate user identification (ID) and password to identify missing\n    security patches and security configuration errors.\n\n(4) Strengthen Personnel Security controls by (a) assigning a high or moderate risk level designation to\n    contractor employees with broad physical access permissions to FDIC headquarters facilities and\n    confirming that the U.S. Office of Personnel Management (OPM) has sufficient contractor employee\n    information to start the appropriate background investigation process before granting broad physical\n    access, and (b) developing a process to assist in identifying employees and contractors with\n    background investigations that are not commensurate with individual risk level designations.\n\n(5) Strengthen Audit and Accountability controls by continuing to place priority attention on developing a\n    risk-based enterprise-wide approach for (a) monitoring user access privileges in information systems\n    and (b) generating and reviewing audit logs for the FDIC\xe2\x80\x99s inventory of information systems.\n\n(6) Enhance the FDIC\xe2\x80\x99s ongoing security control assessments in each of the five areas listed above to\n    provide greater assurance that such controls are operating effectively.\n\nThis performance audit did not constitute an audit of financial statements in accordance with Generally\nAccepted Government Auditing Standards. KPMG was not engaged to, and did not, render an opinion on\nthe FDIC\xe2\x80\x99s internal controls over financial reporting or over financial management systems. KPMG\ncautions that projecting our evaluation to future periods is subject to the risks that controls may become\ninadequate because of changes in conditions or because compliance with controls may deteriorate.\nAppendix I of this report provides detailed information regarding the evaluation\xe2\x80\x99s objective, scope, and\nmethodology, as well as additional information about information-security-related laws, regulations, and\nother guidance. Appendix II provides a status of prior year FISMA key steps to improve information\nsecurity, and Appendix III includes a summary of the controls tested as part of the 2007 FISMA\nevaluation. Appendix IV is the response to OMB Security Questions, and Appendix V provides a\nglossary of terms.\n\nSincerely,\n\n\n\n\n                                                                                                     Page 2\n\x0c                                                     List of Acronyms\n\n\nAcronym                      Definition                         Acronym                    Definition\nASA         Application Security Assessment                     IDS        Intrusion Detection System\nBCP         Business Continuity Plan                            IG         Inspector General\nBIA         Business Impact Analysis                            IRIS       Internal Risks Information System\nC&A         Certification and Accreditation                     ISM        Information Security Manager\nCD/DVD      Compact Disc/Digital Video Disc                     ISPS       Information Security and Privacy Staff\nCFO         Chief Financial Officer                             IT         Information Technology\nCHRIS       Corporate Human Resources Information               KPMG       KPMG LLP\n            System\n                                                                NIST       National Institute of Standards and\nCIO         Chief Information Officer                                      Technology\nCMMI        Capability Maturity Model Integration               OIG        Office of Inspector General\n        \xc2\xae\nCOBIT       Control Objectives for Information and              OMB        Office of Management and Budget\n            related Technology\n                                                                OPM        Office of Personnel Management\nCOO         Chief Operating Officer\n                                                                PIA        Privacy Impact Assessment\nCSIRT       Computer Security Incident Response\n            Team                                                PII        Personally Identifiable Information\nDIT         Division of Information Technology                  PIV        Personal Identity Verification\nDOA         Division of Administration                          POA&M      Plan of Action & Milestones\nEA          Enterprise Architecture                             PUB        Publication\nFDIC        Federal Deposit Insurance Corporation               RCN        Remote Client Network\nFIPS        Federal Information Processing Standards            RUP\n                                                                       \xc2\xae\n                                                                           Rational Unified Process\nFISMA       Federal Information Security Management             SDLC       System Development Life Cycle\n            Act\nFMFIA       Federal Managers\xe2\x80\x99 Financial Integrity Act           SP         Special Publication\n\nFY          Fiscal Year                                         SQL        Structured Query Language\n\nGAO         Government Accountability Office                    SSPs       System Security Plans\n\nGSS         General Support System                              ST&E       Security Test & Evaluation\n\nHSPD        Homeland Security Presidential Directive            USB        Universal Serial Bus\n\nID          Identification                                      U.S.C.     United States Code\n\n\n\n\n                                                                                                                 Page 3\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\n\nBACKGROUND\n\nKey to achieving the FDIC\xe2\x80\x99s mission of maintaining stability and public confidence in the nation\xe2\x80\x99s\nfinancial system is safeguarding the sensitive information (including personally identifiable information\n(PII)) that the FDIC collects and manages in its role as federal deposit insurer of banks and savings\nassociations. In addition, as an employer and acquirer of services, the FDIC obtains sensitive information\nfrom its employees and contractors. Implementing proper controls over this information is critical to\nmitigating the risk of an unauthorized disclosure that could lead to identity theft, consumer fraud, and\npotential legal liability or public embarrassment for the Corporation. Widely publicized reports of\nnetwork compromises and data security breaches at federal agencies have raised concern among federal\nagencies, the public, and the Congress and underscore the importance of implementing strong, enterprise-\nwide information security controls. In addition, the U.S. Government Accountability Office (GAO) has\ndesignated information security as a government-wide, high-risk issue in its reports to the Congress since\n1997.\n\nIn response to concerns about the security of federal information systems, the Congress enacted Title III\nof the E-Government Act of 2002, commonly referred to as FISMA. FISMA focuses on improving the\noversight of federal information security programs and facilitating progress in correcting agency\ninformation security deficiencies. FISMA requires federal agencies, including the FDIC, to develop,\ndocument, and implement an agency-wide information security program that provides security for the\ninformation and information systems that support the operations and assets of the agency, including those\nprovided or managed by another agency, contractor, or other source.1 Under FISMA, agency heads are\nresponsible for providing information security protections commensurate with the risk and magnitude of\nharm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of\ninformation and information systems. Agency heads are also responsible for complying with the\nrequirements of FISMA and related policies, procedures, standards, and guidelines. FISMA directs\nagency heads to report annually to the OMB Director, Comptroller General, and selected congressional\ncommittees on the adequacy and effectiveness of agency information security policies, procedures, and\npractices and compliance with FISMA. In addition, FISMA requires agencies to have an annual\nindependent evaluation performed of their information security programs and practices and to report the\nevaluation results to OMB. FISMA states that the independent evaluation is to be performed by the\nagency IG or an independent external auditor as determined by the IG.\n\nOMB is responsible for annually reporting to the Congress on agency compliance with FISMA\xe2\x80\x99s\nrequirements. OMB relies on the annual agency FISMA reports to evaluate agency-specific and\ngovernment-wide security performance. OMB provided federal agencies with instructions for satisfying\ntheir reporting requirements under FISMA in a July 25, 2007 memorandum, FY 2007 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy Management.\nOMB\xe2\x80\x99s primary agency security policy is OMB Circular No. A-130, Management of Federal Information\nResources, Appendix III, Security of Federal Automated Information Resources (OMB A-130, Appendix\nIII), dated November 28, 2000.2\n\n\n\n\n1\n    The FDIC has determined that aspects of FISMA are legally binding on the Corporation.\n2\n    Various provisions of OMB A-130, Appendix III are legally binding on the FDIC.\n\n                                                                                                   Page 4\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nNIST Security Standards and Guidelines\n\nFISMA directs NIST to develop risk-based standards and guidelines to assist agencies in defining\nminimum security requirements for the non-national security systems used by agencies.3 NIST has\ndeveloped such standards and guidelines as part of its FISMA Implementation Project and is developing\nadditional standards and guidelines. KPMG based its security evaluation primarily on the security\ncontrols defined in NIST Federal Information Processing Standards (FIPS) Publication (PUB) 200,\nMinimum Security Requirements for Federal Information and Information Systems, and Special\nPublication (SP) 800-53 Revision (Rev.) 1, Recommended Security Controls for Federal Information\nSystems.4 These NIST publications define a framework for protecting the confidentiality, integrity, and\navailability of federal information and information systems consisting of three general classes of security\ncontrols, namely, management, operational, and technical. Collectively, these three security control\nclasses contain 17 control families. Each control family contains security controls related to the security\nfunctionality of the family. KPMG included one additional security control class (i.e., program) in its\nassessment methodology based on a review of NIST SP 800-100, Information Security Handbook: A\nGuide for Managers, and research of relevant security-related statutes, regulations, policies, and\nguidelines.\n                               Figure 1: Managing Enterprise Risk (The Framework)\nFederal security control\nrequirements and\nassessment methodologies\nhave changed\ndramatically in recent\nyears in response to new\nNIST security standards\nand guidelines. Figure 1\nillustrates the relationship\nof key NIST security\nstandards and guidelines.\nAppendix I of this report\nprovides additional\ninformation about FIPS\nPUBs and SPs, including\ntheir legal effect on the\nFDIC.\n\n                               Source: NIST SP 800-53 Rev. 1.\n\n\n\n\n3\n  FISMA authorizes the Secretary of Commerce to make NIST standards compulsory for executive agencies to the\n  extent determined necessary to improve the efficiency and security of federal information systems. The Secretary\n  of Commerce exercises this authority subject to the direction of the President and in coordination with the OMB\n  Director. Because the Secretary of Commerce does not have jurisdiction over the FDIC in this subject area, the\n  standards published by the Secretary are not legally binding on the FDIC, but the FDIC\xe2\x80\x99s policy is to voluntarily\n  comply with those standards.\n4\n  Federal agencies must meet the minimum security requirements defined in NIST FIPS PUB 200 through the use of\n  the suggested controls in NIST SP 800-53 Rev. 1. The FDIC has determined that the minimum standards\n  contained in FIPS PUB 200 reflect reasonable business practices that the FDIC should seek to follow.\n\n                                                                                                           Page 5\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nFDIC Systems and Applications\n                                                  Table 1: The FDIC\'s General Support Systems and Major\nThe FDIC relies extensively on\n                                        Applications\ninformation systems to support its\n                                                              Mainframe\nbusiness operations. The FDIC\xe2\x80\x99s\nDivision of Information Technology                            Voice/Video\n\n(DIT) maintains seven general                 General         Mid-range (UNIX) Servers\n                         6                                    Data Communications Infrastructure\nsupport systems (GSS) that provide            Support\nbasic processing and communications           Systems         Windows Servers*\nsupport for the 319 business                                  Public Key Infrastructure\napplication systems7 in the                                   Personal Systems\nCorporation\xe2\x80\x99s application inventory.                          Assessment Information Management System II\nThe FDIC\xe2\x80\x99s business applications\n                                                              Asset Servicing Technology Enhancement Program\ncollect, process, store, and distribute\n                                                              Corporate Human Resource Information System\nmission-critical information, such as\n                                                              FDICconnect\npersonnel and bank data, in support            Major\n                                                              Legal Integrated Management System\nof the Corporation\xe2\x80\x99s three primary         Applications\nprogram areas (Insurance,                                     New Financial Environment\n\nSupervision and Consumer                                      Receivership Liability System\nProtection, and Receivership                                  Risk-Related Premium System\nManagement). The FDIC has                                     Virtual Supervisory Information on the Net\n                                        Source: DIT\xe2\x80\x99s Information Security and Privacy Staff.5\nclassified nine of the business         * During the fiscal year 2007 FISMA evaluation, the FDIC re-defined the boundaries of\napplication systems as major              the Windows Servers GSS to include Windows servers previously included in the\n              8                           Remote Access GSS.\napplications. Table 1 identifies the\nFDIC\xe2\x80\x99s GSSs and major applications.\nThe FDIC has aggregated its minor applications into the GSSs and major applications.\n\n\n\n\n6\n  OMB A-130, Appendix III defines a GSS as an interconnected set of information resources under the same direct\n  management and that shares common functionality. A system normally includes hardware, software, information,\n  applications, communications, and people.\n7\n  According to the Enterprise Architecture (EA) Repository system inventory of applications systems on July 31,\n  2007, the FDIC owned 305 application systems and outsourced 14 application systems. Using the July 31, 2007\n  EA Repository report, DIT Information Security and Privacy Staff (ISPS) identified 152 of the 319 EA Repository\n  application systems inventory and seven GSSs as its risk management inventory subject to FISMA and NIST\n  security requirements. According to the ISPS, the remaining 167 application systems in the EA Repository\n  inventory were no longer in service, or were tools, utilities, or other objects that were not application systems and,\n  therefore, were not included in the ISPS\xe2\x80\x99s risk management inventory.\n8\n  OMB A-130, Appendix III defines a major application as one that requires special attention to security due to the\n  risk and magnitude of harm resulting from the loss, misuse, unauthorized access to, or modification of, the\n  information in the application.\n\n                                                                                                                         Page 6\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nFDIC Security Governance\n\nSeveral key components               Figure 2: The FDIC\xe2\x80\x99s Information Security Governance\ncomprise the FDIC\xe2\x80\x99s\n                                                                         Chairman and Board\ninformation security                                                         of Directors\ngovernance structure. As\nillustrated in Figure 2,                        Inspector General                                        Chief Information\nthese components include                                                                                      Officer\nthe FDIC Chairman and\nBoard of Directors; Chief\nInformation Officer (CIO);                  Chief Financial                 Chief Operating                  General Counsel\nChief Operating Officer                         Officer                         Officer\n\n(COO); Chief Financial\nOfficer (CFO); and the                    Director, Division      Director, Division of Supervision &          Legal Division\nDirectors of DIT, the                        of Finance                  Consumer Protection\n                                                                   Director, Division of Information\nDivision of Administration                                                    Technology\n(DOA), and other divisions                                         Director, Division of Insurance &\n                                                                               Research\nand offices that own                                              Director, Division of Resolutions &\ninformation systems.                                                         Receiverships\n                                                                  Director, Division of Administration\nThe Chairman and Board\n                                Source: OIG Audit Report No. 06-022, Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program\xe2\x80\x94\nof Directors are ultimately 2006, dated September 2006.\nresponsible for the security\nof the FDIC\xe2\x80\x99s information and information systems. The CFO and CIO co-chair a Capital Investment\nReview Committee, which authorizes and monitors capital projects, including IT projects. The CIO has\noverall responsibility for the FDIC\xe2\x80\x99s IT program, including information security. The CIO also serves as\nthe FDIC\xe2\x80\x99s Chief Privacy Officer, Senior Agency Official for Privacy,9 and Director of DIT. In addition,\na CIO Council composed of senior agency managers advises the CIO on all aspects of IT, including\nsecurity. The COO manages the FDIC\xe2\x80\x99s operating divisions, including DIT and DOA. DIT is\nresponsible for providing a secure IT infrastructure and systems. DOA is responsible for providing\nphysical and personnel security for the FDIC. Other division and office heads are responsible for\nensuring that systems under their ownership or control conform to the FDIC\xe2\x80\x99s security requirements. The\nOIG performs or contracts for audits and evaluations of the FDIC\xe2\x80\x99s information security controls,\nincluding the annual independent evaluation of the Corporation\xe2\x80\x99s security program required by FISMA.\n\nThe CIO has assigned primary responsibility for planning, developing, and implementing the FDIC\xe2\x80\x99s\ninformation security program and operations to an Associate Director in DIT who reports directly to the\nCIO. In addition, the FDIC has established eight Information Security Managers (ISM) within its\nprogram divisions and offices to ensure a business focus on information security. The responsibilities of\nISMs include promoting security awareness, providing security management and technical advice on\nbehalf of their divisions and offices, and assessing the level of security needed and in place in corporate\napplications. DIT\xe2\x80\x99s budget for calendar year 2007 is approximately $191 million, of which the FDIC\nestimated approximately $18 million is allocated to information security.\n\n9\n    The position of Senior Agency Official for Privacy arose from OMB Memorandum M-05-08, Designation of\n    Senior Agency Officials for Privacy, whereas the Chief Privacy Officer resulted from section 522 of the\n    Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, which is\n    Division H of the Consolidated Appropriations Act, 2005. The FDIC determined that the Corporation would\n    comply with these provisions.\n\n                                                                                                                                Page 7\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\n\nDOA\xe2\x80\x99s Security and Emergency Preparedness Section is responsible for administering the FDIC\'s\nphysical and personnel security programs. Physical security includes activities such as badging\nemployees, contractors, and visitors and protecting employees, visitors, and facilities from internal and\nexternal threats such as fire, theft, vandalism, sabotage, and terrorist activities. Personnel security\nincludes activities such as performing credit checks, fingerprint checks, and background investigations of\nFDIC employees and contractors. The Security and Emergency Preparedness Section is also responsible\nfor managing, directing, and testing the FDIC\xe2\x80\x99s Emergency Preparedness Program, which includes the\nFDIC\xe2\x80\x99s Emergency Response Plan and the Business Continuity Plan (BCP). Both plans have IT-related\ncomponents. DIT and DOA coordinate on relevant corporate security matters.\n\n\nInformation Security Program Initiatives\n\nThe FDIC is working to implement a number of important initiatives to strengthen its information\nsecurity program controls and operations. Of particular note, DIT is in the process of deploying software\nthat automatically encrypts data stored on corporate laptop computers without manual intervention by\nusers. The FDIC\xe2\x80\x99s current laptop encryption software requires manual intervention by users, limiting\nmanagement\xe2\x80\x99s assurance that sensitive information is consistently encrypted. Additionally, DIT plans to\nimplement a standardized encryption solution for sensitive data stored on removable media, such as\nUniversal Serial Bus (USB) thumb drives and CDs/DVDs. In the fall of 2006, the FDIC undertook a\nmulti-year, strategic initiative to conduct a comprehensive assessment (including usage level, continued\nneed, data content, access rights, and access control monitoring procedures) of its network shared drives.\nThe FDIC recognizes that its network shared drives contain significant amounts of sensitive information\nthat may be at risk of unauthorized disclosure. In addition, DIT initiated the Identity Access Management\nproject to develop a more efficient and effective process for controlling access to its corporate systems\nand data resources. Further, DIT is adopting the principles of the Control Objectives for Information and\nrelated Technology (COBIT\xc2\xae)10 in its internal control program.\n\n\n\n\n10\n     COBIT\xc2\xae is an international IT controls governance framework.\n\n                                                                                                   Page 8\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\n\nRESULTS OF EVALUATION\n\nThe FDIC has made significant progress in recent years in addressing the information security provisions\nof FISMA and NIST. This progress is noteworthy given the considerable increase in information-\nsecurity-related requirements levied on federal agencies. KPMG found that the FDIC established policies\nand procedures in substantially all of the security control areas evaluated. In addition, KPMG noted\nparticular program strength in the areas of Information Security Governance, Incident Response, and\nAwareness and Training. KPMG also noted that a recent test of the FDIC\xe2\x80\x99s IT disaster recovery\ncapability was successful in achieving its primary objective of recovering mission-critical applications\nand GSSs within pre-determined timeframes. Further, the FDIC enhanced its configuration management\ncontrols by integrating information security into its Rational Unified Process (RUP\xc2\xae) systems\ndevelopment life cycle (SDLC) methodology and applying RUP\xc2\xae to IT infrastructure projects.\n\nThese accomplishments are notable. However, KPMG identified a number of information security\ncontrol deficiencies warranting management attention. Addressing these security control deficiencies will\ncontribute to the FDIC\xe2\x80\x99s ongoing efforts to achieve reasonable assurance of adequate security over\ncorporate information resources. If not addressed in a timely manner, these security control deficiencies\ncould affect the results of future evaluations of the FDIC\xe2\x80\x99s information security program. KPMG\xe2\x80\x99s report\nidentifies steps that the Corporation can take to strengthen security controls in Access Control;\nIdentification and Authentication; Risk Assessments; Personnel Security; Audit and Accountability; and\nCertification, Accreditation, and Security Assessments. In many cases, the FDIC was already working to\nimprove security controls in these areas during KPMG\xe2\x80\x99s evaluation.\n\nTable 2, on the following page, summarizes KPMG\xe2\x80\x99s security program assessment results. The table\nstructures KPMG\xe2\x80\x99s results according to the security control framework defined in FIPS PUB 200 and\nSP 800-53 Rev. 1. The table includes one additional control class (i.e., program) based on the results of\nKPMG\xe2\x80\x99s research of relevant security-related statutes, regulations, policies, and guidelines.11 The\ndetailed results of KPMG\xe2\x80\x99s program assessment are presented after Table 2.\n\n\n\n\n11\n     Consistent with the FISMA provision that the annual evaluation can be based on a subset of agency systems,\n     KPMG did not assess the System and Communications Protection or Systems and Services Acquisition control\n     families defined in FIPS PUB 200 and SP 800-53 Rev. 1. Further, KPMG did not assess the Capital Planning\n     control family under the Program Controls class. Appendix II describes the security control testing KPMG\n     performed within each security control class and family.\n\n                                                                                                           Page 9\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\n\nTable 2: KPMG Assessment of the FDIC\xe2\x80\x99s Security Controls\n     Control             Control Families Tested That                       Control Families Tested That\n      Class              Demonstrated Effectiveness                        Warrant Management Attention\n\n                         \xe2\x80\xa2 Information Security                            \xe2\x80\xa2 Enterprise Architecture\n Program\n                           Governance\n\n                         \xe2\x80\xa2 Planning                                        \xe2\x80\xa2 Risk Assessment\n Management                                                                \xe2\x80\xa2 Certification, Accreditation, and\n                                                                             Security Assessments\n\n                         \xe2\x80\xa2   Contingency Planning                          \xe2\x80\xa2 Physical and Environmental\n                         \xe2\x80\xa2   Configuration Management                        Protection\n                         \xe2\x80\xa2   Maintenance                                   \xe2\x80\xa2 Personnel Security\n Operational\n                         \xe2\x80\xa2   Incident Response                             \xe2\x80\xa2 System and Information Integrity\n                         \xe2\x80\xa2   Awareness and Training                        \xe2\x80\xa2 Media Protection\n\n\n                         None                                              \xe2\x80\xa2 Identification and Authentication\n Technical                                                                 \xe2\x80\xa2 Access Control\n                                                                           \xe2\x80\xa2 Audit and Accountability\nSource: 2007 KPMG Evaluation of the FDIC\xe2\x80\x99s Information Security Program.\n\n\n\n\n                                                                                                                 Page 10\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\n\nPROGRAM CONTROLS\n\nProgram controls define an enterprise-wide framework for planning, directing, and controlling resources\nto achieve agency security objectives. Based on our analysis of NIST SP 800-100 and relevant security-\nrelated statutes, regulations, policies, standards, and guidelines, program controls include three families\nfor consideration: Information Security Governance, Capital Planning, and Enterprise Architecture. As\npart of the 2006 FISMA evaluation, the OIG performed extensive testing in these three areas. For 2007,\nKPMG\xe2\x80\x99s evaluation of program controls was limited to Information Security Governance and the system\ninventory component of Enterprise Architecture. KPMG did not evaluate security controls related to\nCapital Planning. In summary, KPMG found the security controls tested related to Information Security\nGovernance were effective, while controls tested for Enterprise Architecture warranted management\nattention.\n\nInformation Security Governance\nRating: Demonstrated Effectiveness\n\nInformation security governance involves the implementation of an enterprise-wide control structure that\nprovides management with reasonable assurance that security controls are implemented as designed and\noperating effectively. Governance consists of (a) enterprise-wide security program policies and\nprocedures that define key roles and responsibilities and (b) monitoring to assess whether security\ncontrols are achieving intended results. FISMA defines specific responsibilities and authorities for\nagency heads,12 senior agency officials, and CIOs. Among those responsibilities are requirements for the\nCIO to develop and maintain an information security program and to report annually to the agency head\non the effectiveness of the program and progress of remedial actions.\n\nThe FDIC has appointed a permanent CIO with corporate accountability and authority for information\nsecurity, a senior agency information security officer who reports directly to the CIO, and a CIO Council\ncomposed of senior agency managers who advise the CIO on all aspects of IT. The FDIC has established\na number of policies, procedures, and guidelines that generally define the security roles and\nresponsibilities of corporate officials and contractor personnel. In addition, DIT published an Information\nSecurity Strategic Plan, and the CIO made periodic presentations to senior agency officials on corporate\ninformation security matters. Further, DIT is embracing the principles of COBIT\xc2\xae in its internal control\nprogram.\n\nDIT has established a performance measurement program with a current policy, reporting requirements,\nand a balanced scorecard.13 Overall, the performance measurement program is maturing, as evidenced by\nthe addition of new performance metrics and retirement of less useful metrics. Currently, there are new\nmetrics under development to better align DIT activities with the Corporation\xe2\x80\x99s strategic initiatives. In\n2008, DIT plans to include significant updates to its performance metrics. DIT could enhance the utility\n\n12\n   For the purposes of our evaluation, we consider the FDIC\xe2\x80\x99s Chairman to be the head of the Corporation.\n   Nevertheless, the FDIC\xe2\x80\x99s Board of Directors, by statute, has overall responsibility for managing the Corporation.\n   The Board consists of five members: the Chairman, the Vice Chairman, an appointed Director, the Director of the\n   Office of Thrift Supervision, and the Comptroller of the Currency.\n13\n   The balanced scorecard is a management tool designed to help organizations translate strategy into operational\n   objectives that drive both behavior and performance. The scorecard was designed to improve current\n   performance measurement systems by providing alternatives to managing organizational performance other than\n   exclusively through financial measures.\n\n                                                                                                            Page 11\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nof the quarterly performance measures and the DIT balanced scorecard by automating the data collection\nand posting of performance results such that DIT managers could take corrective action more quickly\nwhen warranted. Currently, there is an 8- to-10-week time lag between the quarter end and the internal\nposting of performance results.\n\n\nEnterprise Architecture (EA)\nRating: Warrants Management Attention\n\nIn business and technological terms, an EA defines an organization\xe2\x80\x99s current and target operating\nenvironments, including its information security architecture. Effectively representing security\ninformation in an EA ensures that security is adequately incorporated into agency system life cycle\nprocesses, as required by FISMA. In addition, FISMA requires agencies to develop and maintain an\ninventory of major information systems, which is a fundamental component of an agency EA.\n\nThe FDIC has taken a number of important           Figure 3: EA Repository Challenges\nsteps toward full implementation of a\ncorporate-wide EA. Of particular note, the\nFDIC has established an EA policy and EA\ngovernance structure, adopted a SDLC\nmethodology,14 and developed an EA\nRepository to store, classify, and organize its\nEA data (including security data). The\nFDIC\xe2\x80\x99s EA Repository is the inventory of\nFDIC applications and tools.\n\nIn July 2007, the FDIC released an improved\nEA Repository that incorporates\nenhancements to permit the tracking of\nvarious security-related data elements and\nfacilitates the tracking of major and minor\napplications. However, the FDIC has not\n                                                  Source: KPMG Analysis.\nassigned responsibility, in writing, for DIT\nmanagers or business owners to periodically (quarterly or semi-annually) review the contents of the EA\nRepository to ensure that it is accurate and reflects events such as system retirements, application\nupgrades or consolidations, and changes in application points of contact. According to DIT\xe2\x80\x99s ISPS, 19 of\nthe 319 application systems in the EA Repository were no longer in use at the FDIC as of July 31, 2007.\nThe lack of data integrity in the EA Repository introduces proved inefficiencies by requiring the use of\nalternate sources to obtain accurate information, as noted in Figure 3 above. Developing guidance,\nestablishing review procedures, and assigning responsibility will help improve data integrity, promote\ngreater use of the EA Repository in DIT, and reduce reconciliation efforts to prepare a FISMA inventory\nsummary for OMB reporting purposes.\n\nThe FDIC retired Circular 1320.3, Systems Development Life Cycle (SDLC), and replaced it with DIT\nPolicy 07-005, Systems Development Life Cycle. At the time of our evaluation, DIT was working to\nupdate Circular 1303.1, FDIC Enterprise Architecture Program, dated November 7, 2003, to reflect the\n\n14\n     The FDIC\xe2\x80\x99s RUP\xc2\xae SDLC methodology includes FDIC-specific security requirements applicable to each phase of\n     the development of an IT project.\n\n                                                                                                        Page 12\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\ncurrent roles and responsibilities and coordination among organizational entities involved with the\nFDIC\xe2\x80\x99s Enterprise Architecture program. The OIG\xe2\x80\x99s 2006 security evaluation report required by FISMA\nnoted that Circular 1303.1 was out of date.\n\n\n\n\n                                                                                             Page 13\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\n\nMANAGEMENT CONTROLS\n\nManagement controls are the safeguards or countermeasures related to an information system that focus\non the management of risk and system security. NIST SP 800-53 Rev. 1 divides management controls\ninto four control families: Risk Assessment; Planning; System and Services Acquisition; and\nCertification, Accreditation, and Security Assessments. In summary, security controls tested related to\nPlanning were effective. However, controls tested related to Risk Assessment and Certification,\nAccreditation, and Security Assessments warranted management attention. We did not evaluate controls\nrelated to System and Services Acquisition.\n\nRisk Assessment (RA)\nRating: Warrants Management Attention\n\nRisk is the probability of an adverse event             Table 3: Risk Assessment\noccurring. Risk assessment involves the                 RA-1       Risk Assessment Policies and\nimplementation of policies and procedures for                      Procedures\ncategorizing information and systems, performing        RA-2       Security Categorization\nand updating risk assessments, and performing           RA-3       Risk Assessment\nregular system vulnerability scanning. Risk\n                                                        RA-4       Risk Assessment Update\nassessments occur in the system life cycle during\n                                                        RA-5       Vulnerability Scanning\nthe information system\xe2\x80\x99s initial development, after Source: NIST SP 800-53 Rev. 1.\nsignificant upgrades, and after the completion of a     Legend: Selected security controls for KPMG testing\nSecurity Test & Evaluation (ST&E).15\nAdditionally, conducting a risk assessment provides the agency with insight as to whether the security\ncontrols in place adequately mitigate threats to the confidentiality, integrity, and availability of the\ninformation processed by the system. Further, a current and complete risk assessment satisfies a control\nrequirement of the certification and accreditation (C&A) process as outlined in NIST SP 800-53 Rev.1\nand SP 800-37. Under FISMA, agencies are responsible for (a) providing security protections\ncommensurate with the risk and magnitude of harm resulting from the unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information and information systems; and (b)\nestablishing policies and procedures that ensure information security is addressed throughout the life\ncycle of each agency information system.\n\nKPMG identified deficiencies in the FDIC\xe2\x80\x99s monthly vulnerability scanning process that prevented some\nInternet-facing servers and other network equipment from being scanned on a monthly basis. Monthly\nvulnerability scanning is a key control to identify missing security patches and configuration errors on\nservers and other network equipment. The OIG recommended in its draft audit report, FDIC\xe2\x80\x99s IT\nDisaster Recovery Capability, further enhancements to the FDIC\xe2\x80\x99s vulnerability scanning process to\nensure all IT devices connected to the network are scanned on a monthly basis. The FDIC initiated\ncorrective actions before that audit\xe2\x80\x99s closure.\n\nThe FDIC has policies and procedures in place for performing risk assessments for information systems\nthat are generally consistent with NIST guidelines. In addition, DIT leverages an automated risk\nassessment tool that incorporates the NIST SP 800-53 Rev. 1 control families to identify potential\nvulnerabilities and countermeasures. However, KPMG observed that the risk assessments for two\n\n15\n     ST&E is an examination and analysis of the security safeguards of a system as they have been applied in an\n     operational environment to determine the security posture of the system.\n\n                                                                                                              Page 14\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nselected GSSs, the Windows Servers GSS and Personal Systems GSS, were not updated in the previous\nthree years, or when a significant change occurred to the system, as prescribed by FDIC policy and\nrecommended in NIST guidelines.16 In the three years following the most recent risk assessments for\nthese systems, significant changes occurred in the FDIC\xe2\x80\x99s Windows server environment. Specifically,\nDIT upgraded approximately one-half of the FDIC\xe2\x80\x99s Windows servers (285 out of 596 servers) from\nWindows 2000 and Windows NT 4.0 operating systems to Windows 2003 operating system. In addition,\nDIT aggregated the boundaries of the Windows Servers GSS to include 87 FDIC-defined minor\napplications and contractor systems. DIT\xe2\x80\x99s ISPS acknowledged that the risk assessments for these\nsystems had not been updated but explained that full ST&Es for both GSSs had been conducted in the\nprevious two years as well as annual security self-assessments. ISPS concluded that the ST&Es and self-\nassessments satisfied the intent of NIST\xe2\x80\x99s risk assessment guidance.\n\nHowever, risk assessments identify the controls necessary for adequate security, while ST&Es test the\neffectiveness of security controls. Accordingly, KPMG believes that DIT should update risk assessments\nas part of a continuous process that incorporates the outcomes of the ST&Es as recommended by NIST\nrisk management guidance.17 For example, control deficiencies identified from ST&Es should be\nsubsequently incorporated into risk assessments to retain lessons learned from past control assessments.\nWhere security exposures exist, the risk assessment should suggest additional or compensating controls to\nmitigate risk. Updates to the risk assessment and identification of additional or compensating controls are\nsubsequently incorporated into System Security Plans (SSPs) and then tested as part of the ST&E.\n\nPlanning (PL)\nRating: Demonstrated Effectiveness\n\nPlanning involves the implementation of policies,             Table 4: Planning\nprocedures, and practices for developing SSPs.                PL-1      Security Planning Policy and\n                                                                        Procedures\nSecurity plans provide an overview of system security\nrequirements and describe the security controls in            PL-2      System Security Plan\nplace or planned for meeting those requirements.              PL-3      System Security Plan Update\nPlanning also involves establishing rules that describe       PL-4      Rules of Behavior\nuser responsibilities and expected behavior related to        PL-5      Privacy Impact Assessment\nsystem usage, as well as conducting system Privacy            PL-6      Security-Related Activity Planning\nImpact Assessments (PIA).18                                   Source: NIST SP 800-53 Rev. 1.\n                                                              Legend:   Selected security control for KPMG testing\n\nThe FDIC\xe2\x80\x99s security planning policies and procedures\nwere generally consistent with NIST security standards and guidelines. Following the OIG\xe2\x80\x99s 2006\nFISMA evaluation, the FDIC strengthened its security planning controls by establishing policy and\nprocedures requiring application owners to maintain security plans in StarTeam19 and to update the SSPs,\nas part of the SDLC process. However, guidance for preparing SSPs should be enhanced to require that\n\n16\n   NIST SP 800-37 states that information system risk assessments are to be performed every three years or\n   whenever there is a significant change to the system or its operational environment.\n17\n   NIST SP 800-30, Risk Management Guide for Information Technology Systems and NIST SP 800-53 Rev. 1,\n   Recommended Security Controls for Federal Information Systems.\n18\n   PIAs are required under the E-Government Act of 2002 as implemented by OMB\xe2\x80\x99s September 26, 2003\n   Memorandum (M-03-22) entitled, OMB Guidance for Implementing the Privacy Provisions of the E-Government\n   Act of 2002.\n19\n   StarTeam is a repository of documents and software source code that permits the FDIC to perform version control\n   and track revision history.\n\n                                                                                                                     Page 15\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nsecurity plans describe how common security controls20 are considered in the security C&A process, as\nnoted in the 2006 FISMA evaluation. ST&Es of common security controls are performed separately from\nST&Es of application and GSS security controls. Enhancing guidance for preparing SSPs would provide\ngreater assurance that all relevant risks identified from the common controls ST&Es are considered when\naccrediting an application or system.\n\nFollowing the OIG\xe2\x80\x99s 2006 FISMA evaluation, the FDIC strengthened controls in the Planning family by\nenhancing its Security Plan template to incorporate the NIST SP 800-53 Rev. 1 control families. The\nFDIC also aligned its minor applications with its GSSs and major applications. The FDIC performed this\nrealignment to increase efficiency, identify shared common controls, and incorporate refinements from\nNIST SP 800-53 Rev. 1. Further, in the OIG\xe2\x80\x99s Audit Report No. AUD-07-013, Response to Privacy\nProgram Information Request in OMB\xe2\x80\x99s Fiscal Year 2007 Reporting Instructions for FISMA and Agency\nPrivacy Management, the OIG concluded that the FDIC\xe2\x80\x99s PIA process was satisfactory and consistent\nwith relevant privacy-related policy, guidance, and standards.\n\n\nSystem and Services Acquisition (SA)\nRating: Not Evaluated\n\nSystem and services acquisition involves allocating resources to protect information systems,\nimplementing an SDLC methodology that addresses security, and including security requirements and/or\nspecifications in systems acquisitions. System and services acquisition also includes controls for system\ndocumentation, software usage restrictions, security engineering principles, configuration management,\nand developing security testing during development projects. KPMG did not perform sufficient testing to\nassess system and services acquisition. The OIG may evaluate system and services acquisition security\ncontrols in future FISMA evaluations.\n\n\n\n\n20\n     Common security controls can be applied to one or more information systems. Examples of common security\n     controls include controls in Personnel Security, Incident Response, Physical and Environmental Protection, and\n     Contingency Planning.\n\n                                                                                                             Page 16\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\n\nCertification, Accreditation, and Security Assessments (CA)\nRating: Warrants Management Attention\n\nThe certification and accreditation of federal                    Table 5: Certification, Accreditation, and\ninformation systems is critical to securing the                   Security Assessments\ngovernment\xe2\x80\x99s operations and assets. Certification                 CA-1          Certification, Accreditation, and\ninvolves the evaluation of an information system\xe2\x80\x99s                              Security Assessment Policies and\nmanagement, operational, and technical security                                 Procedures\n\ncontrols. Accreditation involves a senior agency                  CA-2          Security Assessments\nofficial\xe2\x80\x99s authorization of an information system to              CA-3          Information System Connections\noperate. OMB requires agencies to certify and                     CA-4          Security Certification\naccredit their information systems in accordance with             CA-5          Plan of Action and Milestones\nfederal security policies, standards, and guidelines.\n                                                                  CA-6          Security Accreditation\nAt the close of KPMG\xe2\x80\x99s current year evaluation, the\n                                                                  CA-7          Continuous Monitoring\nFDIC reported that it had fully certified and                     Source: NIST SP 800-53 Rev. 1.\naccredited its major applications and GSSs.                       Legend:   Selected security controls for KPMG testing\n\n\nThe FDIC\xe2\x80\x99s certification, accreditation, and security assessment policies and procedures were generally\nconsistent with NIST security standards and guidance. However, the FDIC needed to enhance its ongoing\nsecurity control assessments of its information systems to provide greater assurance that controls are\noperating effectively. Such enhancements could include, for example, expanding the testing of minor\napplications, contractor systems, and IT computer services (e.g., Structured Query Language (SQL)\ndatabase server, Exchange e-mail server). Such enhancements would allow the FDIC to identify and\ncorrect the types of operational and technical control deficiencies discussed in this report. Such\ndeficiencies include weak password controls over application and database accounts with access to\nsensitive information, including PII; sensitive network applications with excessive access privileges;\ninsufficient application audit logging and monitoring; and inadequately secured audit logs.\n\nIn the prior three OIG FISMA reports to OMB and the Congress, the OIG had suggested that DIT modify\nits Plans of Action and Milestones (POA&M) procedures to ensure that all relevant information security\ndeficiencies are incorporated into or accompany system-level POA&Ms. Previously, the FDIC used\nvarious systems to track and report system-level security deficiencies based on how the deficiency was\nidentified. For example, system-level security deficiencies identified during the ST&E process were\ntracked and reported through system-level POA&Ms, while system-level security deficiencies identified\nduring GAO, OIG, and others\xe2\x80\x99 reviews were tracked in the Internal Risks Information System (IRIS).21\nIn June 2007, the ISPS modified its POA&M practices by developing a POA&M template and process to\ncapture control deficiencies identified by other security reviews beyond the ST&E. ISPS has informed\nthe FDIC\xe2\x80\x99s ISMs that POA&Ms should include findings from risk assessments, technical security\nassessments, ST&Es, FISMA self-assessments, and FDIC OIG or GAO audit findings. KPMG applauds\nDIT\xe2\x80\x99s decision to centralize and consolidate the tracking of information security deficiencies, as this\napproach is consistent with NIST and OMB guidance.\n\n\n\n\n21\n     IRIS is the FDIC\xe2\x80\x99s official tracking database for all GAO and FDIC OIG audits and reviews. It is used to track\n     audit findings/conditions, recommendations, and corrective actions/milestones. FDIC divisions and offices can\n     also use IRIS to track the results of their internal control reviews, visitations, and other activities related to\n     managing risks.\n\n                                                                                                                          Page 17\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nWhile DIT\xe2\x80\x99s revised approach for tracking information security vulnerabilities is positive, continued\nmanagement attention is necessary to ensure the POA&Ms include all known information security\ndeficiencies. During fieldwork, KPMG observed two instances where information security deficiencies\nwere not subsequently incorporated into system-level POA&Ms. In one instance, DIT\xe2\x80\x99s information\nsecurity contractor identified security deficiencies associated with System and Information Integrity\nsecurity control, SI-2 Flaw Remediation, that was not incorporated into the Windows Servers POA&M.\nIn another instance, previously reported security deficiencies associated with session time out for inactive\nremote network connections were not captured in the Windows Servers or Data Communications\nInfrastructure POA&M. Continued management attention on incorporating all known information\nsecurity deficiencies into POA&Ms will enable management to better prioritize remediation efforts and\ntrack issues through closure.\n\n\n\n\n                                                                                                     Page 18\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\n\nOPERATIONAL CONTROLS\n\nOperational controls are the safeguards and countermeasures for an information system that are primarily\nimplemented and executed by individuals (as opposed to information systems). Operational controls\ninclude nine control families: Physical and Environmental Protection; Personnel Security; Contingency\nPlanning; Configuration Management; Maintenance; System and Information Integrity; Media\nProtection; Incident Response; and Awareness and Training. In summary, the controls tested in the areas\nof Contingency Planning, Maintenance, Incident Response, Configuration Management and Awareness\nand Training were effective. However, the controls tested related to Physical and Environmental\nProtection, Personnel Security, System and Information Integrity, and Media Protection warranted\nmanagement attention.\n\n\nPhysical and Environmental Protection (PE)\nRating: Warrants Management Attention\n                                                                  Table 6: Physical and Environmental Protection\nPhysical and environmental protection relates to those            PE-1         Physical Security and\nsecurity measures aimed at safeguarding information                            Environmental Policy and\n                                                                               Procedures\nsystems, facilities, and related supporting\ninfrastructures from threats. Such security measures              PE-2         Physical Access Authorizations\ninclude, but are not limited to, physical access controls,        PE-3         Physical Access Control\nemergency power and lighting, fire protection, and                PE-4         Access Control for Transmission\ntemperature and humidity controls. Such measures also                          Medium\ninclude procedures for the delivery and removal of                PE-5         Access Control for Display Medium\nsystems hardware, firmware, and software to and from              PE-6         Monitoring Physical Access\nfacilities.                                                       PE-7         Visitor Control\n                                                                  PE-8         Access Records\nThe FDIC has established corporate-wide physical\n                                                                  PE-9         Power Equipment and Cabling\nsecurity program policies22 and procedures. In addition,\nDIT has conducted security tests and evaluations of               PE-10        Emergency Shutoff\nPhysical and Environmental Protection controls and                PE-11        Emergency Power\ndeveloped POA&Ms to address the control deficiencies              PE-12        Emergency Lighting\nit identified. Further, DOA maintained physical access            PE-13        Fire Protection\nlogs for the Virginia Square Data Center. Additionally,           PE-14        Temperature and Humidity Controls\nDOA enhanced controls over visitors to the FDIC\xe2\x80\x99s\n                                                                  PE-15        Water Damage Protection\nheadquarters facilities by adopting procedures in\n                                                                  PE-16        Delivery and Removal\nFebruary 2007 that ensure the verification of visitors\xe2\x80\x99\nbackgrounds and intended purposes before allowing                 PE-17        Alternate Work Site\n\ntheir entry. Such actions were positive; however,                 PE-18        Location of Information System\nduring the evaluation, the OIG identified several                              Components\nphysical security control deficiencies warranting                 PE-19        Information Leakage\nmanagement attention.                                             Source: NIST SP 800-53 Rev. 1.\n                                                                  Legend: 9Selected security controls for OIG testing\n\nOn July 3, 2007, the OIG conducted an after-hours\nwalkthrough of the FDIC\xe2\x80\x99s Virginia Square facility in Arlington, Virginia, and identified one exterior\n\n22\n     Such policies include Circulars 1610.1, FDIC Physical Security Program; and 1600.2, FDIC Security in the\n     Workplace Program.\n\n                                                                                                                        Page 19\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\ndoor to the building and several interior doors to the mainframe and server computer rooms that were\nunsecured. The doors had been automatically unlocked during our walkthrough by the building\xe2\x80\x99s\nemergency system in response to a water leak in the fire suppression system. However, for several hours,\nbuilding security personnel were unaware that these doors remained unsecured. Such a vulnerability\npresented a risk that unauthorized individuals could enter the Virginia Square facility or access sensitive\ncomputing areas. An OIG representative notified building security personnel of the vulnerable doors, and\nguards were subsequently placed at the doors until they were locked. OIG representatives discussed this\nphysical access control vulnerability with DOA officials. DOA subsequently improved procedures for\nrestoring physical access security at the Virginia Square facility following an emergency.\n\nThe OIG also identified four unsecured mechanical rooms housing the Virginia Square facility\xe2\x80\x99s heating,\nventilation, and air conditioning systems, water supply, and electrical equipment. After bringing this\nmatter to DOA\xe2\x80\x99s attention, DOA officials determined that the mechanical room doors were not closing\nproperly for various reasons, such as internal airflow pressure on the doors and improper sealing around\nthe doorframes. Prior to the close of our fieldwork, DOA adjusted all four mechanical room doors to\nensure they properly close and lock. In addition, during a June 20, 2007 after-hours walkthrough, the\nOIG identified an unsecured engineering room in the FDIC\xe2\x80\x99s main headquarters building housing critical\nelectrical equipment. After alerting the building\xe2\x80\x99s security personnel to this vulnerability, the engineering\nroom was locked.\n\nThe Physical and Environmental Protection control family also includes controls for authorizing physical\naccess to facilities. The OIG was unable to determine whether selected employees recently hired by the\nFDIC with access to the FDIC\xe2\x80\x99s facilities had an appropriate access authorization because access\nauthorization documentation was not readily available. Using a non-statistical sample23 of 20 employees\nhired by the FDIC from July 1, 2006 through April 30, 2007, the OIG attempted to verify whether FDIC\nForm 1620/01, Employee/Contractor Identification Card Request (or equivalent documentation), had\nbeen completed and approved.24 DOA officials were unable to locate a completed FDIC Form 1620/01\nfor seven of the 20 selected employees. The OIG cited a lack of completed FDIC Forms 1620/01 as a\ndeficiency in its 2006 FISMA evaluation report. In response to the OIG\xe2\x80\x99s findings, DOA decided to\ndocument the authorization and approval of FDIC-issued identification badges for employees already on-\nboard in conjunction with the issuance of new personal identity verification cards that implement\nHomeland Security Presidential Directive/Hspd-12, Policy for a Common Identification Standard for\nFederal Employees and Contractors (HSPD-12).25 FDIC Forms 1620/01 would continue to be completed\nwhenever new identification cards are issued. However, based on the OIG\xe2\x80\x99s current year work, DOA\nneeds to implement additional measures to ensure that FDIC Forms 1620/01 are maintained when new\nidentification cards are issued.\n\n\n\n\n23\n   Within this report, we used non-statistical samples and duly noted their use. The results of non-statistical samples\n   cannot be projected to the intended population by standard statistical methods.\n24\n   FDIC Circular 1610.1, FDIC Physical Security Program, states that administrative officers are responsible for\n   approving FDIC Form 1620/01 for all new employees, interns, detailees, and others who require an FDIC\n   identification badge. Once completed and approved, the form is provided to DOA\xe2\x80\x99s Corporate Services Branch.\n25\n   On August 27, 2004, the President issued HSPD-12 requiring the development and implementation of a\n   mandatory, government-wide standard for secure and reliable forms of identification. The FDIC is not required to\n   implement HSPD-12, but has decided to voluntarily comply with HSPD-12.\n\n                                                                                                               Page 20\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nPersonnel Security (PS)\nRating: Warrants Management Attention\n                                                          Table 7: Personnel Security\nPersonnel security involves the implementation of         PS-1       Personnel Security Policy and\npolicies, procedures, and practices for assigning                    Procedures\n\nrisk designations to positions, screening                 PS-2       Position Categorization\nindividuals for those positions, and ensuring that        PS-3       Personnel Screening\nsystems access is terminated when personnel leave         PS-4       Personnel Termination\nan agency or are transferred. Personnel security          PS-5       Personnel Transfer\nalso involves ensuring that appropriate access\n                                                          PS-6       Access Agreements\nagreements, such as nondisclosure and conflict of\n                                                          PS-7       Third-Party Personnel Security\ninterest agreements, are in place for employees and\ncontractors and implementing a formal sanctions           PS-8       Personnel Sanctions\n                                                          Source: NIST SP 800-53 Rev. 1.\nprocess for personnel who fail to comply with             Legend: 9 Selected security controls for OIG testing\nsecurity policies and procedures.\n\nThe FDIC has established personnel-related (employees and contractors) policies, procedures, and\nguidelines26 that are generally consistent with NIST guidelines. In addition, the OIG noted that\nemployees and contractors were preparing written confidentiality agreements as prescribed by Circular\n2410.1 and the FDIC\xe2\x80\x99s Acquisition Policy Manual.27 Further, DIT was in the process of validating its\nemployee position descriptions against actual duties and responsibilities in response to the division\xe2\x80\x99s\nrecent re-organization. DIT plans to re-evaluate the appropriateness of its employee risk level\ndesignations after it completes ongoing efforts to validate its employee position descriptions. These\nactions were positive; however, as discussed below, the OIG identified Personnel Security-related control\ndeficiencies warranting management\xe2\x80\x99s attention.\n\nThe OIG reviewed background investigation documentation for employees and contractors to determine\nwhether individuals with physical access to the Virginia Square mainframe or server computer rooms had\na background investigation commensurate with the risk associated with their access. FDIC and contractor\nemployees working in FDIC offices undergo a fingerprint and credit check before they are allowed access\nto FDIC facilities. After an individual begins work, the FDIC and the individual send additional personal\ninformation to OPM for a background investigation. Of the 185 individuals who, as of July 13, 2007, had\nphysical access to the mainframe or server computer rooms, 33 did not have OPM background\ninvestigations commensurate with the risk associated with their access because the scope of their OPM\ninvestigation was below the Moderate risk level. All 33 individuals were DOA contractor employees\nassigned to contracts that had a risk level designation of Low. Further, the OIG noted that the FDIC had\nnot initiated a background investigation with OPM for six of the 33 referenced individuals and that one of\nthe six individuals had worked for the FDIC for over two years. The FDIC should evaluate the risk level\ndesignations of contractor employees with physical access to restricted areas, such as the computer rooms,\nand allow access only after confirming that OPM has sufficient information to conduct the appropriate\nbackground investigation. The OIG briefed DOA management on this condition during the evaluation\nand identified the individual contractor employees for DOA\xe2\x80\x99s review. DOA started the OPM background\n\n\n26\n   Such policies include Circulars 2120.1, Personnel Suitability Program; 2210.1, FDIC Position Management and\n   Classification Program; 2150.1, Pre-Exit Clearance Procedures for FDIC Employees; and 2410.1, Public and\n   Confidential Financial Disclosure Report and Other Related Employee Ethics Forms Required to be Filed.\n27\n   Based on an OIG review of a non-statistical sample of 20 employees hired by the FDIC from July 1, 2006 through\n   April 30, 2007 and 18 security contractor employees at the regional offices the OIG visited.\n\n                                                                                                                 Page 21\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\ninvestigation process for the six contractor employees without an OPM background investigation and is\nreviewing the duties and risk level designations for the 33 contractor employees.\n\nUsing information in the Corporate Human Table 8: FDIC Employee Risk Level Designations\nResources Information System (CHRIS),28       CHRIS Risk              Number of        Number of      Insufficient\nthe OIG selected a separate non-statistical   Level                  Employees         Employees      Background\nsample of 197 of the FDIC\xe2\x80\x99s 4,658             Designation                               Sampled       Investigation\nemployees on board as of July 19, 2007 to     National                          63                3\ndetermine whether background                  Security*\ninvestigations were commensurate with\n                                              High                            348                29\nrisk level designations. As shown in\n                                              Moderate                      2,856               161              32\nTable 8, the OIG found that 32 employees\n                                              Low                           1,391                 4\nin positions with a Moderate risk level\n                                              Totals                        4,658               197              32\ndesignation had a background investigation\n                                            Source: OIG analysis of CHRIS and DOA records.\nconsistent with a Low risk level position.  * National Security clearance levels are Secret and Top Secret.\nAccording to a DOA representative, for\nemployees with a High and National Security risk level designation in CHRIS, DOA performed monthly,\nmanual reviews of completed background investigations to identify discrepancies. However, a similar\nreview is not performed for employees with a Moderate risk level designation because of the large\nnumber of employees in this category. DOA should develop procedures to better ensure that employee\nbackground investigations are commensurate with risk level designations. We discussed this issue with\nDOA during the evaluation, and DOA began a review of the 32 employees\xe2\x80\x99 risk level designations and\nbackground investigations.\n\nDOA recognizes that improvements are needed in its processes for establishing risk level designations\nand conducting background investigations. In a September 29, 2006 internal report, DOA\xe2\x80\x99s Management\nSupport Section concluded that audit trails for approving, authorizing, verifying, reconciling, and\nmaintaining risk level designation determinations within DOA were not clearly evident as changes are\nmade. The report also noted that supporting documentation was often not retained or did not exist to\nsupport risk level determinations or changes in risk level assignments within DOA. DOA was working to\naddress the deficiencies identified in the internal review report during this evaluation.\n\n\n\n\n28\n     CHRIS is a major application that provides human resource related information.\n\n                                                                                                            Page 22\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nContingency Planning (CP)\nRating: Demonstrated Effectiveness\n                                                                      Table 9: Contingency Planning\nEffective contingency planning and testing is essential to            CP-1     Contingency Planning Policy and\nmitigate the risk of system and service unavailability.                        Procedures\n\nContingency planning involves developing and                          CP-2     Contingency Plan\nimplementing system contingency plans that address roles,             CP-3     Contingency Training\nresponsibilities, and activities associated with restoring a          CP-4     Contingency Plan Testing and\nsystem after a disruption or failure. Such planning also                       Exercises\ninvolves training personnel, testing systems, performing              CP-5     Contingency Plan Update\nsystem backups, and establishing alternative processing               CP-6     Alternative Storage Sites\nsites.\n                                                                      CP-7     Alternative Processing Sites\n                                                                  CP-8      Telecommunication Services\nThe FDIC has taken a number of positive steps in the area\nof contingency planning. Of particular note, the FDIC has         CP-9      Information System Backup\n                                                            29\nestablished a DIT contingency planning program policy.            CP-10     Information System Recovery and\nFurther, the FDIC has documented system recovery plans                      Reconstitution\n                                                                  Source: NIST SP 800-53 Rev. 1.\nin the DIT Business Continuity Plan that were current and         Legend: 9 Selected security controls for KPMG testing\nconsistent with NIST guidance. In addition, the FDIC\nconducted a disaster recovery test of its mission-critical applications and GSSs in April 2007. The\ndisaster recovery test was successful in achieving its primary objective of recovering the FDIC\xe2\x80\x99s mission-\ncritical applications and GSSs within pre-determined timeframes. The FDIC prepared a formal report\ndetailing the results of its disaster recovery testing and developed plans to address the issues it identified\nduring the testing.\n\nThe above actions are positive; however, a recent audit of the FDIC\xe2\x80\x99s IT disaster recovery capability30\nidentified several opportunities for the FDIC to improve its Contingency Planning controls. Specifically,\nthe audit noted that DIT needed to update the FDIC\xe2\x80\x99s contingency planning program policy to reflect the\nCorporation\xe2\x80\x99s current IT disaster recovery environment and recent NIST guidance, and document (and\ntest as appropriate) its plans for recovering certain security services designed to protect the FDIC\xe2\x80\x99s\nnetwork during a disaster. In addition, the audit noted that the FDIC was working to update its Business\nImpact Analysis (BIA). Based on the collective control strengths and deficiencies related to contingency\nplanning, KPMG determined that the Contingency Planning control family demonstrated effectiveness.\n\n\n\n\n29\n     Circular 1360.13, DIT\xe2\x80\x99s Contingency Planning Program Policy, dated November 22, 2004.\n30\n     Draft OIG Report, FDIC\xe2\x80\x99s IT Disaster Recovery Capability, dated August 24, 2007. KPMG provided technical\n     assistance to the FDIC OIG in the evaluation of FDIC\xe2\x80\x99s IT Disaster Recovery capability.\n\n                                                                                                                 Page 23\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nConfiguration Management (CM)\nRating: Demonstrated Effectiveness\n                                                          Table 10: Configuration Management\nKey to ensuring the confidentiality, integrity, and       CM-1        Configuration Management Policies\navailability of any information system is                             and Procedures\n\nimplementing structured processes for managing the        CM-2        Baseline Configuration\ninevitable changes that will occur during the             CM-3        Configuration Change Control\nsystem\xe2\x80\x99s life cycle. Such processes, collectively         CM-4        Monitoring Configuration Changes\nreferred to as configuration management, include          CM-5        Access Restrictions for Change\nevaluating, authorizing, testing, tracking, reporting,    CM-6        Configuration Settings\nand verifying both hardware and software changes.\n                                                          CM-7        Least Functionality\nInadequate configuration management controls\n                                                          CM-8        Information System Component\nincrease the risk that unauthorized programs or\n                                                                      Inventory\nuntested changes could inadvertently or deliberately      Source: NIST SP 800-53 Rev. 1.\nbe implemented and negatively affect system               Legend: 9 Selected security controls for KPMG testing\nperformance or security.\n\nImportantly, the FDIC established a corporate-wide software configuration management policy covering\nall of its application and system software.31 The policy requires that the FDIC\xe2\x80\x99s software configuration\nmanagement practices be consistent with the principles of the Capability Maturity Model Integration\n(CMMI)32 and relevant federal standards and guidelines. In addition, DIT established the FDIC\nInfrastructure Change Control Board to, among other things, review and approve changes to the FDIC\xe2\x80\x99s\nIT infrastructure and technical architecture, including the Windows Servers and Personal Systems GSS.\nDIT also developed software configuration management plans for its Windows Servers and Personal\nSystems GSS.\n\nOn March 22, 2007, OMB issued Memorandum M-07-11 entitled, Implementation of Commonly\nAccepted Security Configurations for Windows Operating Systems.33 The OMB memorandum requires\nagencies using the Windows XP operating system to adopt the security configurations developed by\nNIST, the Department of Defense, and the Department of Homeland Security no later than\nFebruary 1, 2008. The OMB memorandum states that adopting such configurations are important to\nimproving information security and reducing overall IT operating costs. As part of its FISMA evaluation\nwork, KPMG compared the security configuration settings recommended in NIST SP 800-68, Guidance\nfor Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration\nChecklist (dated October 2005), to the standard security configuration settings of the FDIC\xe2\x80\x99s Windows\nXP desktop. KPMG noted that 27 of 133 configuration settings implemented by the FDIC, including\nsettings related to passwords, account lockouts, and event log sizes, were less restrictive than those\nrecommended in NIST SP 800-68. Implementing configuration settings that are less restrictive than those\nrecommended by NIST can pose additional risks to the confidentiality, integrity, and availability of FDIC\ndesktops and laptops. KPMG brought these discrepancies to DIT\xe2\x80\x99s attention during the evaluation, and\nDIT began evaluating the impact. DIT is currently seeking internal approval of an automated tool that\nwill facilitate a comparison of the security configuration settings of the FDIC\xe2\x80\x99s Windows servers and\ndesktops to NIST-recommended configuration settings. As of the time of our fieldwork, DIT planned to\nimplement the tool in September 2007. DIT officials indicated that there were differences between the\n\n31\n   Circular 1320.4, FDIC Software Configuration Management Policy, dated June 8, 2006.\n32\n   A process improvement methodology developed by Carnegie Mellon University\xe2\x80\x99s Software Engineering Institute.\n33\n   The FDIC has determined that, in connection with this memorandum, OMB does not have authority to direct the\n   FDIC to take certain actions of OBM\xe2\x80\x99s choosing.\n\n                                                                                                                  Page 24\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nconfiguration settings implemented by the FDIC and those recommended by NIST SP 800-68 because the\nFDIC had initially adopted a security configuration based on the National Security Agency\xe2\x80\x99s guidance\nprior to the publication of NIST SP 800-68 in October 2005.\n\nFurther, KPMG\xe2\x80\x99s testing showed that DIT has effective controls in place for monitoring and tracking\nconfiguration changes for information systems. KPMG reviewed a non-statistical sample of 30\nconfigurations out of total population of 456 and successfully identified change approvals from DIT for\neach one.\n\n\nMaintenance (MA)\nRating: Demonstrated Effectiveness\n                                                        Table 11: Maintenance\nMaintenance involves scheduling, performing, and        MA-1       System Maintenance Policy and\n                                                                   Procedures\ndocumenting preventative and regular maintenance\non components of information systems in accordance      MA-2       Controlled Maintenance\nwith manufacturer or vendor specifications and/or       MA-3       Maintenance Tools\norganization requirements. Maintenance also             MA-4       Remote Maintenance\ninvolves approving, controlling, and monitoring         MA-5       Maintenance Personnel\nmaintenance tools and activities.                       MA-6       Timely Maintenance\n                                                        Source: NIST SP 800-53 Rev. 1.\nThe FDIC has established policies and procedures for    Legend: 9 Selected security controls for KPMG testing\n\nmaintaining its information system components.\nImportantly, the FDIC maintains current, vendor-supported operating system software for its Windows\nservers and Windows desktops and laptops. Further, at the time of our evaluation, the FDIC was in the\nprocess of replacing its laptop computers as part of a planned corporate laptop replacement project.\n\n\n\n\n                                                                                                                Page 25\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\n\nSystem and Information Integrity (SI)\nRating: Warrants Management Attention\n                                                            Table 12: System and Information Integrity\n                                                            SI-1    System and Information Integrity Policy\nSystem and information integrity includes security\n                                                                    and Procedures\ncontrols for identifying, reporting, and correcting\n                                                            SI-2    Flaw Remediation\ninformation system flaws. Such flaws can be\ndiscovered through system security assessments,             SI-3    Malicious Code Protection\ncontinuous monitoring, or software vendors that             SI-4    Information System Monitoring Tools\nrecommend the implementation of software patches,                   and Techniques\nservice packs, or hotfixes to their software. System        SI-5    Security Alerts and Advisories\nand information integrity also involves the                 SI-6    Security Functionality Verification\ndeployment of virus protection and intrusion                SI-7    Software and Information Integrity\ndetection mechanisms to protect the agency\xe2\x80\x99s IT             SI-8    Spam Protection\noperations and the implementation of controls to\n                                                            SI-9    Information Input Restrictions\nensure the accuracy, completeness, and validity of\n                                                            SI-10   Information Accuracy, Completeness,\ninformation.\n                                                                    Validity, and Authenticity\n\nThe FDIC has established policies and procedures             SI-11    Error Handling\n\ndesigned to ensure the integrity of its systems and          SI-12    Information Output Handling and\ninformation. DIT has deployed anti-virus software                     Retention\n                                                             Source: NIST SP 800-53 Rev. 1.\nto protect its Windows Servers and Personal Systems Legend: 9 Selected security controls for KPMG testing\nGSS and implemented a new intrusion detection\nsystem (IDS) within the last year to log, store, and\naggregate network IT events. In addition, DIT has established a software patch management policy,34\nadopted performance measures to monitor the deployment of patches against pre-established timeframes,\nand reported the status of its patch identification, testing, and deployment activities. DIT has been\nworking hard to ensure the timely implementation of software patches in the Windows Servers and\nPersonal Systems GSSs. However, continued management attention is warranted to ensure that all\nWindows servers are appropriately patched in a timely manner to protect against known security\nvulnerabilities.\n\nAs part of system and information integrity control testing, KPMG selected 34 of 67 Windows servers in\nthe FDIC\xe2\x80\x99s disaster recovery computing facility on April 26, 2007 for a detailed security configuration\nreview. KPMG found that 2 of the 34 servers were each missing over 40 security patches. Many of the\nmissing security patches were classified by the Microsoft Corporation as critical, presenting a serious risk\nto the operation of the servers. Although DIT took prompt action to patch the two vulnerable servers\nduring the FISMA evaluation, these actions provided only a temporary solution to a broader management\nchallenge. The OIG indicated in a draft report35 that DIT should implement control improvements in its\npatch deployment processes to help ensure that all Windows servers are patched in a timely manner. In\naddition, KPMG noted that limitations in DIT\xe2\x80\x99s vulnerability scanning processes prevented DIT from\ndetecting the lack of security patches on these two servers. Accordingly, the OIG is recommending that\nDIT enhance its vulnerability scanning processes to ensure that all servers in the production environment\nare routinely scanned for security vulnerabilities.\n\n\n34\n     DIT Policy 04-004, Policy on Security Patch Management, published April 15, 2005\n35\n     Draft OIG Report, FDIC\xe2\x80\x99s IT Disaster Recovery Capability, dated August 24, 2007. KPMG provided technical\n     assistance to the FDIC OIG in the evaluation of FDIC\xe2\x80\x99s IT Disaster Recovery capability.\n\n                                                                                                              Page 26\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nMedia Protection (MP)\nRating: Warrants Management Attention\n                                                               Table 13: Media Protection\n                                                                           Media Protection Policy and\nMedia protection involves those security controls              MP-1\n                                                                           Procedures\nrelated to controlling access to hardcopy and\n                                                               MP-2        Media Access\nelectronic media, labeling media consistent with its\nsensitivity, and ensuring the security of stored media.        MP-3        Media Labeling\n\nMedia protection also involves safeguarding the                MP-4        Media Storage\ntransportation of media and ensuring that appropriate          MP-5        Media Transport\ncontrols are in place when sanitizing and disposing of         MP-6        Media Sanitation and Disposal\nmedia.                                                         Source: NIST SP 800-53 Rev. 1.\n                                                               Legend: 9 Selected security controls for KPMG testing\n\nOn April 30, 2007, the FDIC issued Circular 1360.9, Protecting Sensitive Information, requiring, among\nother things, that FDIC employees and contractors label portable storage media (e.g., CDs/DVDs and\nUSB thumb drives) as containing sensitive information; limit access to sensitive information to only those\nindividuals with a business need to know; store sensitive information only on Corporation-owned IT\nequipment; encrypt sensitive information stored on end-user IT equipment (e.g., FDIC laptop computers)\nand portable storage media; properly dispose of sensitive electronic media when it is no longer needed;\nand notify appropriate officials should a compromise of sensitive information occur. The issuance of this\npolicy was a significant improvement for the FDIC\xe2\x80\x99s media protection controls. However, as described\nbelow, KPMG identified several control areas related to media protection that warranted management\nattention.\n\nAs of August 31, 2007, the FDIC was in the process of deploying new software that automatically\nencrypts sensitive information stored on the FDIC\xe2\x80\x99s laptop computers. This software is replacing the\nFDIC\xe2\x80\x99s older encryption solutions that require manual intervention by users, limiting management\xe2\x80\x99s\nassurance that sensitive information is consistently encrypted. In addition, a recent audit completed by\nthe OIG noted that FDIC employees were not encrypting sensitive information stored on portable storage\nmedia as prescribed by FDIC policy.36 Although the FDIC has implemented encryption software to\nprotect sensitive information stored on portable storage media, the software also requires manual\nintervention by users, limiting management\xe2\x80\x99s assurance that sensitive information is consistently\nencrypted. DIT plans to identify and subsequently deploy new encryption software for its portable\nstorage media. DIT also plans to deploy encryption software on all agency Personal Digital Assistants\nand BlackBerrys\xc2\xae.\n\nOn June 20 and July 3, 2007, the OIG conducted after-hours walkthroughs of selected FDIC headquarters\nfacilities and identified hardcopy sensitive information (including PII) stored in unsecured filing rooms\nand unsecured filing cabinets located in common areas. The OIG promptly notified DOA and DIT\nofficials of the locations of this information, and corrective action was taken or underway at the close of\nour evaluation. The OIG also conducted walkthroughs of three FDIC regional office buildings in June\n2007. In general, the OIG found that regional offices were taking reasonable steps to secure sensitive\nhardcopy information. However, the OIG noted isolated instances of unsecured PII in each of the three\nregional offices visited. The OIG immediately brought these isolated instances to the attention of regional\noffice officials, and corrective action was taken to secure the hardcopy and electronic media.\n\n\n\n36\n     FDIC OIG Audit Report No. AUD-07-010, Division of Resolutions and Receiverships Protection of Electronic\n     Records, dated September 5, 2007.\n\n                                                                                                                       Page 27\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nThe FDIC routinely transports mainframe and server backup tapes to an off-site contactor location for\nboth archiving and disaster recovery purposes. Although the backup tapes contain sensitive information,\nthey are not encrypted. OMB Memorandum M-06-16, Protection of Sensitive Agency Information, dated\nJune 23, 2006, recommends that agencies encrypt all data on mobile computers/devices that carry agency\ndata unless the data is determined, in writing, to be non-sensitive data. In addition, NIST SP\n800-53 Rev. 1 states that an organization\xe2\x80\x99s assessment of risk should guide the use of encryption for\nbackup information. Given the high volume of data stored on its backup tapes, the loss or compromise of\na backup tape could have a significant impact on the FDIC. At the close our evaluation, a DIT official\nadvised KPMG that DIT had investigated available encryption solutions for securing tape media but had\nnot found a solution that would operate across its IT environment. The DIT official stated DIT is\nconcentrating its encryption efforts on the higher-risk areas such as laptops, USB thumb drives,\nBlackberrys\xc2\xae, PDAs, and desktops before exploring encryption for its backup tapes. Although not\nspecifically required by statute, NIST standards, or OMB guidelines, the FDIC should consider\nencrypting its backup tapes to reduce the risk of a potential unauthorized disclosure of sensitive\ninformation\n\n\nIncident Response (IR)\nRating: Demonstrated Effectiveness\n                                                             Table 14: Incident Response\nFISMA requires that agency information security                       Incident Response Policy and\n                                                             IR-1\n                                                                      Procedures\nprograms include procedures for detecting,\nreporting, and responding to security incidents.37           IR-2     Incident Response Training\nImplementing an effective incident response                  IR-3\n                                                                      Incident Response Testing and\ncapability involves considering many factors,                         Exercises\nincluding training and detection, analysis,                  IR-4     Incident Handling\ncontainment, eradication, reporting, and recovery            IR-5     Incident Monitoring\nfrom security incidents.                                     IR-6     Incident Reporting\n\n                                                             IR-7     Incident Response Assistance\nThe FDIC maintains a computer security                Source: NIST SP 800-53 Rev. 1.\nincident response capability that is consistent       Legend: 9 Selected security controls for KPMG testing\nwith NIST SP 800-61, Computer Security\nIncident Handling Guide. The FDIC has prepared procedural manuals containing detailed guidance for\nthe prevention, detection, analysis, response, recovery, and reporting of security incidents. The FDIC also\nprovides regular training for its Computer Security Incident Response Team members. At the close of\nour evaluation, DIT was working to develop a security breach plan and guidelines in response to OMB\xe2\x80\x99s\nMay 22, 2007 Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally\nIdentifiable Information.\n\n\n\n\n37\n     NIST SP 800-61 defines an incident as a violation of computer security policies, acceptable use policies, or\n     standard computer security practices.\n\n                                                                                                                Page 28\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nAwareness and Training (AT)\nRating: Demonstrated Effectiveness\n                                                          Table 15: Awareness and Training\nFISMA requires federal agencies to provide                       Security Awareness and Training\n                                                      AT-1\nsecurity awareness training to users of agency                   Policy and Procedures\n\ninformation systems and requires agency CIOs          AT-2       Security Awareness\nto ensure proper oversight and training of            AT-3       Security Training\npersonnel with significant information security       AT-4       Security Training Records\nresponsibilities. In addition, federal                           Contacts with Security Groups and\nregulations38 require agencies to develop a           AT-5\n                                                                 Associations\nsecurity awareness and training plan, identify        Source: NIST SP 800-53 Rev. 1.\n                                                      Legend: 9Selected security controls for KPMG testing\nemployees with significant security\nresponsibilities, and provide role-specific training in accordance with NIST standards and guidelines.\n\nCircular 1360.16, Mandatory Information Security Awareness Training, requires users of the FDIC\xe2\x80\x99s\nnetwork to complete an annual Web-based information security awareness orientation.39 The circular\nstates that new employees shall log on and review the FDIC\xe2\x80\x99s information security awareness Web-site\nand orientation as soon as their network access is granted; failure to do so within 5 working days of\nreceiving a network ID may result in revoking the employee\xe2\x80\x99s or contractor\xe2\x80\x99s access to FDIC systems and\napplications. The FDIC continued its prior-year practices of requiring (a) network users to complete the\nannual security awareness orientation, (b) major application users to complete application-specific\nsecurity awareness training, and (c) GSS technicians and managers to complete system-specific security\ntraining. In addition, DIT developed a formal training plan to ensure its staff with significant information\nsecurity responsibilities receive appropriate security training for the type of work they perform.\n\nKPMG determined that DIT had addressed a prior-year deficiency related to new network users not\ncompleting the security awareness orientation on a timely basis. In addition, KPMG identified several\nopportunities for DIT to enhance the effectiveness of the FDIC\xe2\x80\x99s security awareness and training\npractices. Such enhancements include, for example, better integration of the FDIC\xe2\x80\x99s security policies and\nprocedures. KPMG discussed these minor enhancements during a September 6, 2007 meeting with the\nCIO.\n\n\n\n\n38\n     The FDIC has determined that these regulations entitled, Information Security Responsibilities for Employees\n     Who Manage or Use Federal Information Systems (5 Code of Federal Regulations Part 930 Subpart C) apply to\n     the Corporation.\n39\n     The orientation includes information about laws, regulations, and policies related to computer security; rules of\n     behavior for systems and major applications; tips on effective security; and links to additional sources of\n     information.\n\n                                                                                                                Page 29\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\n\nTECHNICAL CONTROLS\n\nTechnical controls are the safeguards or countermeasures for an information system that are primarily\nimplemented and executed by the system through mechanisms contained in the hardware, software, or\nfirmware components of the system. NIST SP 800-53 Rev. 1 separates technical controls into four\ncontrol families: Identification and Authentication; Access Control; Audit and Accountability; and\nSystem and Communications Protection. In summary, the controls tested related to Identification and\nAuthentication, Access Control, and Audit and Accountability warranted management attention. We did\nnot evaluate System and Communications Protection as part of our current-year work.\n\n\nIdentification and Authentication (IA)\nRating: Warrants Management Attention\n                                                  Table 16: Identification and Authentication\nIdentification and authentication includes        IA-1       Identification and Authentication\nsecurity controls designed to verify the                     Policy and Procedures\nidentity of individual users, processes, or       IA-2       User Identification and Authentication\ndevices as a prerequisite to allowing access to   IA-3       Device Identification and\ninformation systems and data. Identification                 Authentication\nand authentication can be accomplished using      IA-4       Identifier Management\nvarious means, such as passwords, card            IA-5       Authenticator Management\ntokens, biometrics, or some combination           IA-6       Authenticator Feedback\nthereof.\n                                                  IA-7       Cryptographic Module Authentication\n                                                  Source: NIST SP 800-53 Rev. 1.\nThe FDIC established policies and procedures      Legend: 9 Selected security controls for KPMG testing\ndesigned to identify and authenticate users of\nits information systems. However, KPMG\nidentified security control deficiencies warranting management attention. Specifically, KPMG conducted\na limited review of the security configuration of four database servers in the Windows Servers GSS as of\nJuly 20, 2007 and identified five database accounts with weak passwords. None of the passwords used to\nprotect these five accounts satisfied the requirements of Circular 1360.10, Corporate Password\nStandards, regarding (among other things) length, use of alphanumeric or special characters, periodic\nresets, and complexity (i.e., hard to guess). Circular 1360.10 states that passwords must be well designed\nand properly implemented because they are often the first line of defense for limiting access to corporate\ndata to authorized users. These password deficiencies elevated the risk that a network user could have\nused these accounts, without authorization, to access, modify, or delete sensitive FDIC information.\nKPMG apprised DIT of the weak password deficiencies, and DIT promptly took corrective action. DIT\nshould enhance its continuous monitoring program to achieve greater assurance of detecting weak\npasswords throughout the Windows Servers GSS.\n\nNIST recommends that organizations encrypt passwords when transmitted over a network to guard\nagainst eavesdropping. Generally, the FDIC observes this security practice; however, KPMG identified\ntwo instances where user IDs and passwords were transmitted without being encrypted across the FDIC\xe2\x80\x99s\ninternal network in its data center. In one instance, KPMG noted that the FDIC\xe2\x80\x99s Remote Client Network\n(RCN) Web servers did not encrypt user IDs and passwords that it exchanged with other RCN Windows\nservers across the FDIC\xe2\x80\x99s internal network. In a second instance, KPMG observed that a Windows job-\nscheduling server exchanged a powerful mainframe user ID and password without encryption to the\nFDIC\xe2\x80\x99s production mainframe to initiate batch jobs. Circular 1360.10, Corporate Password Standards,\n\n\n                                                                                                          Page 30\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nstates that passwords must never be transmitted without being encrypted. KPMG recognizes that\nmitigating controls, such as physical security controls, exist. However, the FDIC could improve its\nidentification and authentication controls by implementing only those technical solutions that encrypt user\nIDs and passwords.\n\nFIPS PUB 201, Personal Identity Verification of Federal Employees and Contractors, and associated\npublications establish standards and requirements for the identity verification of federal employees and\ncontractors and for the issuance of Personal Identity Verification (PIV) credentials.40 OMB directed\nagencies to begin issuing identity credentials to meet the FIPS PUB 201 standard by October 27, 2006.41\nGovernment corporations such as the FDIC are encouraged to comply with HSPD-12. With regard to the\nFDIC\xe2\x80\x99s efforts to implement a PIV system that is consistent with FIPS PUB 201 for its employees and\ncontractors, DOA has drafted a project plan describing the FDIC\xe2\x80\x99s intended approach for implementing\nthe goals and objectives of HSPD-12. According to the draft plan, the FDIC estimates that it will begin\nissuing HSPD-12 compliant identity credentials in late 2007 or early 2008.\n\n\n\n\n40\n     NIST issued FIPS PUB 201 in response to HSPD-12.\n41\n     OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 \xe2\x80\x93 Policy\n     for a Common Identification Standard for Federal Employees and Contractors, dated August 5, 2005.\n\n                                                                                                    Page 31\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\n\nAccess Control (AC)\nRating: Warrants Management Attention\n\nInformation system access controls (i.e., logical          Table 17: Access Control\naccess controls) provide assurance that system             AC-1       Access Control Policy and\nresources can be accessed only by authorized                          Procedures\n\nusers in authorized ways. Logical access                   AC-2       Account Management\ncontrols provide a technical means of                      AC-3       Access Enforcement\ncontrolling the information users can read and             AC-4       Information Flow Enforcement\ncopy, the programs they can execute, and the               AC-5       Separation of Duties\nmodifications they can make.\n                                                           AC-6       Least Privilege\n                                                           AC-7       Unsuccessful Login Attempts\nThe FDIC has established policies and\nprocedures that communicate corporate-wide                 AC-8       System Use Notification\n\nroles and responsibilities for managing access to          AC-9       Previous Logon Notification\nits information systems, data, and remote                  AC-10      Concurrent Session Control\naccess.42 The FDIC was also working to                     AC-11      Session Lock\nimplement several key initiatives aimed at                 AC-12      Session Termination\nstrengthening access controls. Such initiatives            AC-13      Supervision and Review \xe2\x80\x93\ninclude a corporate effort to secure sensitive                        Access Control\ninformation stored on the FDIC\xe2\x80\x99s internal\n                                                           AC-14      Permitted Actions w/o\nnetwork shared drives and a project to                                Identification and Authentication\nreengineer and integrate the FDIC\xe2\x80\x99s access\n                                                           AC-15      Automated Marking\ncontrol systems and procedures. While these\n                                                           AC-16      Automated Labeling\nactions were positive, KPMG identified\ndeficiencies in the following controls:                    AC-17      Remote Access\n\nseparation of duties, least privilege, and session         AC-18      Wireless Access Restriction\ntermination, as described below.                           AC-19      Access Control for Portable and\n                                                                      Mobile Devices\nWith regard to separation of duties, KPMG              AC-20        Use of External Information\nnoted that as of July 20, 2007, four FDIC                           Systems\nemployees and eight contractor personnel were          Source: NIST SP 800-53 Rev. 1.\n                                                       Legend: 9 Selected security controls for KPMG testing\nmembers of a powerful Windows group called\nthe Windows Domain Admins group. Limiting membership in the Windows Domain Admins group\nbased on business need is critical because the group allows its members to grant themselves access to\nWindows applications and record transactions and to delete application audit logs. Microsoft\xe2\x80\x99s\npublication entitled, Best Practices for Delegating Active Directory Administration, recommends that\norganizations assign only two or three system administrators to the Windows Domain Admins group.\nThe FDIC can promote improved separation of duties in the Windows GSS by evaluating the feasibility\nof reducing the number of system administrators in the Windows Domain Admins group and by\ndelegating specific administrative activities to less powerful administrative groups, where possible. In\nthis manner, the FDIC can mitigate the risk that system administrators can alter and delete security logs\nand limit system administrators\xe2\x80\x99 ability to alter application data. The FDIC should also evaluate other\n\n\n42\n     Such policies and procedures include, but are not limited to, Circulars 1360.15, Access Control for Automated\n     Information Systems; and 1370.1, Periodic Review of Mainframe Resource Access; the FDIC\xe2\x80\x99s Access Control\n     Procedures and Guidelines; and Information Security Manager\xe2\x80\x99s (ISM) Guide.\n\n                                                                                                              Page 32\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nWindows administrative groups to ensure that appropriate separation of duties exists. Such an effort\ncould be integrated into the FDIC\xe2\x80\x99s Identity and Access Management project.\n\nThe security principle of least privilege refers to the practice of restricting user access to only those IT\nresources, including data, needed to perform official duties. The FDIC did not always restrict access to\nsensitive information, including PII, on the FDIC\xe2\x80\x99s internal network to users with a business need to\naccess the information. As reported in the OIG\xe2\x80\x99s Audit Report No. AUD-07-010, Division of Resolutions\nand Receiverships Protection of Electronic Records, access to sensitive resolution and receivership\ninformation, including PII, stored on the FDIC\xe2\x80\x99s internal network was not adequately protected. FDIC\nsecurity officials took prompt action to restrict access to the sensitive information identified during the\nOIG audit; however, during our FISMA evaluation work, KPMG identified additional instances in which\nsensitive data was stored on internal network shared drives without adequate access restrictions. Further,\nKPMG tested a non-statistical sample of 67 Windows servers, deemed mission-critical by DIT, and\nidentified eight servers that granted all users full control of 14 network shared drives. One of the 14\nnetwork shared drives contained the security event logs for all Windows Servers. Any user on the\ninternal network could read, modify, or delete these critical security logs. This deficiency limited the\nFDIC\xe2\x80\x99s assurance regarding the integrity of the IT security logs. At the close of our evaluation, the FDIC\nwas working to address these issues as part of a broader Corporate initiative.\n\nWith regard to security control AC-12 Session Termination, the FDIC did not always automatically\nterminate remote sessions after 30 minutes of inactivity. As stated in OMB memorandum M-06-16,\nProtection of Sensitive Agency Information, remote access sessions should terminate after a period of user\ninactivity. Time-out functionality testing of the FDIC\xe2\x80\x99s four remote access solutions43 showed several\nsituations where the remote session does not terminate after 30 minutes of inactivity. As a compensating\ncontrol, DIT has instituted a 15-minute password-protected screensaver on all agency laptops. However,\nthis compensating control does not apply when users remotely access the FDIC network from a non-FDIC\n(e.g., home) computer.\n\nKPMG identified other access control deficiencies related to Windows server security; however, because\nthese deficiencies were less significant, KPMG communicated them separately to the CIO.\n\n\n\n\n43\n     The four remote access solutions are Ascend Dial-in, RCN, FastAccess, and WebVPN.\n\n                                                                                                     Page 33\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nAudit and Accountability (AU)\nRating: Warrants Management Attention\n                                                         Table 18: Audit and Accountability\nAudit and Accountability involves generating             AU-1      Audit and Accountability Policy and\naudit records at a sufficient level of detail to                   Procedures\nestablish the events that took place, sources of the     AU-2      Auditable Events\nevents, and outcomes of the events. Audit and            AU-3      Contents of Audit Records\nAccountability also involves consideration of            AU-4      Audit Storage Capacity\naudit trail storage, processing, monitoring,\n                                                         AU-5      Response to Audit Processing\nreporting, protection, and retention. Audit                        Failures\nrecords, together with appropriate tools and\n                                                         AU-6      Audit Monitoring, Analysis, and\nprocedures, promote key security-related\n                                                                   Reporting\nobjectives, such as detecting security violations,\n                                                         AU-7      Audit Retention and Report\nindividual accountability, and reconstructing\n                                                                   Generation\nauditable events. To be effective, agencies\n                                                         AU-8      Time Stamps\nshould configure their software to collect and\nmaintain audit trails that are sufficient to track       AU-9      Protection of Audit Information\nsecurity-related events.                                 AU-10     Non-repudiation\n                                                         AU-11     Audit Record Retention\nThe FDIC has established policy and procedures       Source: NIST SP 800-53 Rev. 1.\n                                                     Legend: 9 Selected security controls for KPMG testing\nto incorporate audit and accountability controls\nwithin its information systems. Regarding the control AU-6, Audit Monitoring, Analysis, and Reporting,\nthe FDIC\xe2\x80\x99s ISMs review and report on access violations for the Windows Servers GSS. Additionally, the\nFDIC\xe2\x80\x99s Computer Security Incident Response Team (CSIRT) monitors the Windows security audit log, a\nhost-based IDS solution, and changes to group membership for selected Windows administrator groups.\nKPMG\xe2\x80\x99s testing verified that a central tracking system tracks the addition and deletion of users within\nselected administrator groups and that CSIRT initiates appropriate action when warranted.\n\nWhile these controls are positive, opportunities for improvement remain. Also, in regard to security\ncontrol AU-6, KPMG observed that DIT did not regularly review or analyze application audit logs within\nthe Windows Servers GSS unless instructed by the system owner. To address this and previously noted\ndeficiencies,44 the FDIC established a one-year project plan to improve its audit logging and monitoring\nof FDIC applications. Further, the FDIC developed a draft strategy document to achieve the following\nobjectives:\n\n       o   establish an enterprise-wide program for audit logging and monitoring,\n       o   develop requirements for the monitoring program,\n       o   standardize the approach for implementing the monitoring function, and\n       o   establish roles and responsibilities for DIT and system owners.\n\nLastly, DIT drafted policy for logging and monitoring of audit records. While positive steps have been\ntaken, KPMG observed that formal, documented procedures to facilitate the implementation of the audit\nand accountability controls were not implemented for application and system audit logs. Additionally, as\nmentioned within the Access Control family, DIT did not provide sufficient protection of audit records\nfrom unauthorized access, modification, and deletion.\n\n\n44\n     FDIC OIG Audit Report No. 06-025, Controls for Monitoring Access to Sensitive Information Processed by FDIC\n     Applications, dated September 29, 2006.\n\n                                                                                                         Page 34\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007\n\nSystem and Communications Protection (SC)\nRating: Not Evaluated\n\nSystem and communication protection addresses a number of key security control objectives, including\nensuring that system functionality is appropriately segregated; communications are monitored, controlled,\nand protected; and cryptographic operations are adequate.\n\nThe FDIC has taken a number of steps toward ensuring that all communications paths provide\nconfidentiality, integrity, and availability. Specifically, DIT has provided a means for encrypting all\ne-mail communication across the network, and DIT has successfully tested and begun deploying laptops\nwith encrypted hard drives.\n\nKPMG did not perform specific audit procedures related to system and communications protection\nbecause the majority of controls in this family pertain to GSSs not covered under our current-year\nevaluation. Such GSSs include the Public Key Infrastructure and Data Communication Infrastructure\nsystems. The OIG may evaluate system and communications protection security controls in future\nFISMA evaluations.\n\n\n\n\n                                                                                                  Page 35\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007                Appendix I\n\n\nAPPENDIX I \xe2\x80\x93 OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of the FISMA evaluation was to evaluate the effectiveness of the FDIC\xe2\x80\x99s information\nsecurity program and practices, including the FDIC\xe2\x80\x99s compliance with FISMA and related information\nsecurity policies, procedures, standards, and guidelines. The scope of the FISMA evaluation included the\nWindows Servers, Remote Access, and Personal Systems GSSs. KPMG limited the scope of the FISMA\nevaluation within the Remote Access and Personal Systems GSS to the Windows 2000/2003 server\ncomponents and the Windows XP desktop to assess the FDIC\xe2\x80\x99s implementation of provisions in OMB\nMemorandum M-06-16, Protection of Sensitive Agency Information. Other hardware and software\ncomponents within the Remote Access and Personal Systems GSS were not tested. The scope of the\nFISMA evaluation also included reviewing the FDIC\xe2\x80\x99s common security controls such as Awareness and\nTraining, Incident Response, Contingency Planning, and Personnel Security. Finally, KPMG reviewed\nthe corrective actions taken to address issues identified during the FY 2006 FISMA evaluation.\n\nTo accomplish the evaluation\xe2\x80\x99s objective, KPMG reviewed prior-year audit reports, including GAO\xe2\x80\x99s\nreport on the FDIC\xe2\x80\x99s information security,45 the OIG\xe2\x80\x99s FY 2005 and FY 2006 FISMA evaluations,46 and\nvarious FDIC OIG reports on information security to identify deficiencies and potential risk areas. In\naddition, KPMG conducted interviews with appropriate FDIC personnel to obtain an understanding of\neach area within the scope of the evaluation, updates in the control areas covered in prior-year reviews,\nand the status of any corrective actions. Further, KPMG reviewed FDIC documentation applicable to\ninformation security, including FDIC directives and DIT internal policies.\n\nThe FISMA evaluation did not assess controls at depository institutions insured or regulated by the FDIC\nthat routinely provide financial information to the Corporation. KPMG performed its FISMA evaluation\nduring the period April through August 2007 at the FDIC\'s Headquarters offices and primary computer\nfacility in Arlington, Virginia, and its disaster recovery site. Throughout the FISMA evaluation, KPMG\nmet with FDIC management to discuss preliminary conclusions.\n\nThe FDIC OIG contracted with KPMG to evaluate the FDIC\xe2\x80\x99s compliance with FISMA requirements and\nreport on the FDIC\xe2\x80\x99s IT controls over its information security program. KPMG conducted this\nperformance audit in accordance with Generally Accepted Government Auditing Standards issued by the\nComptroller General of the United States. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives. This performance audit did not constitute an\naudit of financial statements in accordance with generally accepted government auditing standards. We\nwere not engaged to and did not express an opinion on the FDIC\xe2\x80\x99s internal controls over financial\nreporting or over financial management systems (for purposes of OMB\xe2\x80\x99s Circular No. A-127, Financial\nManagement Systems, July 23, 1993, as revised). We caution that projecting our evaluation to future\nperiods is subject to the risk that controls may become inadequate because of changes in conditions or\nbecause compliance with controls may deteriorate.\n\n\n\n45\n   Information Security: Federal Deposit Insurance Corporation Needs to Sustain Progress Improving Its Program,\n   GAO-07-351, May 18, 2007; see http://www.gao.gov/new.items/d07351.pdf.\n46\n   FDIC OIG Audit Report No. 06-022, Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program\xe2\x80\x93\n   2006, dated September 28, 2006 and FDIC OIG Audit Report No. 05-040, Independent Evaluation of the FDIC\xe2\x80\x99s\n   Information Security Program\xe2\x80\x93 2005, dated September 30, 2005.\n\n                                                                                                        Page 36\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007                      Appendix I\n\nComputer-based Data, Performance Measures, and Fraud and Illegal Acts\n\nWe performed appropriate procedures to assure ourselves that computer-based data were valid and\nreliable when those data were significant to our evaluation findings and conclusions. Such procedures\nincluded verifying selected automated data to source documentation and corroborating automated data\nthrough interviews with appropriate FDIC personnel. Finally, we did not develop specific audit\nprocedures to detect fraud and illegal acts because we did not consider fraud and illegal acts to be material\nto the evaluation objective. However, throughout our evaluation, we were sensitive to the potential for\nfraud and illegal acts, and none came to our attention.\n\nInternal Control\n\nAn explanation of the terms internal control, reasonable assurance, and adequate security is important to\nensure a proper understanding of our approach and conclusions. OMB Circular No. A-123\n(OMB A-123), Management\xe2\x80\x99s Responsibility for Internal Control,47 states:\n\n         Internal Control\xe2\x80\x94organization, policies, and procedures\xe2\x80\x94are tools to help program and\n         financial managers achieve results and safeguard the integrity of their programs.\n\nAdditionally, OMB A-123 states that internal control must provide reasonable assurance as follows:\n\n         Internal control is an integral component of an organization\xe2\x80\x99s management that provides\n         reasonable assurance that the following objectives are being achieved: effectiveness and\n         efficiency of operations, reliability of financial reporting, and compliance with applicable\n         laws and regulations.\n\nOMB A-130, Appendix III,48 defines adequate security as \xe2\x80\x9csecurity commensurate with the risk and\nmagnitude of harm resulting from the loss, misuse, or modification of or unauthorized access to\ninformation.\xe2\x80\x9d This includes assuring that agency systems and applications provide appropriate\nconfidentiality, integrity, and availability using cost-effective, risk-based management, personnel,\noperational, and technical controls. The concept of adequate security is consistent with FISMA, which\ndirects agency heads to provide information security protections commensurate with the risk and\nmagnitude of harm resulting from the unauthorized access to, use, disclosure, disruption, modification, or\ndestruction of information and information systems.\n\n\n\n47\n   On December 21, 2004, OMB revised the circular, which became effective in FY 2006, to strengthen\n   requirements for conducting management\xe2\x80\x99s assessment of internal control over financial reporting and to\n   emphasize the need for agencies to integrate and coordinate internal control assessments with other\n   internal-control-related activities. The circular implements the Federal Managers\xe2\x80\x99 Financial Integrity Act\n   (FMFIA). This Act is applicable to the FDIC because of provisions in the Chief Financial Officers Act of 1990\n   regarding annual reporting by government corporations on their internal accounting and administrative control\n   systems. The FDIC has determined that as long as it develops internal controls that are consistent with the goals\n   of FMFIA, the FDIC will have met its legal obligations under the circular.\n48\n   OMB A-130, Appendix III, establishes minimum controls for federal automated information security programs.\n   The FDIC has determined that portions of the circular apply to the FDIC, while other portions do not apply. The\n   FDIC has also determined that OMB A-130, Appendix III, requires the FDIC to implement and maintain an\n   information security program consistent with government-wide policies, standards, and procedures issued by\n   OMB and the Department of Commerce.\n\n                                                                                                              Page 37\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007                              Appendix I\n\nGovernment oversight agencies, such as GAO and OMB, and recognized standards-setting organizations\nsuch as NIST have identified fundamental management principles and controls needed to implement an\neffective information security program.49 The controls were defined with the publication of FIPS PUB\n200 and NIST SP 800-53 Rev. 1, and an assessment methodology was outlined in a draft assessment\nguide in SP 800-53A. SP 800-53 Rev. 1 defines a minimum set of security controls for the non-national\nsecurity systems of all federal agencies. These security controls were selected based on the potential\nimpact that could occur to the agency should there be a loss of confidentiality, integrity, or availability of\nthe information or information system. The publication defines 17 management, operational, and\ntechnical security control families that are integral to securing any federal information system.\n\nIn addition to the SP 800-53 Rev. 1 controls for securing systems, SP 800-100 describes other controls for\nagency-wide management of a security program. Based on our analysis of SP 800-100 and the FDIC\xe2\x80\x99s\nbusiness and IT environment, we identified two additional security program control families, Information\nSecurity Governance/Performance Measures and Enterprise Architecture for testing in 2007. Table 19\nlists the security control classes and related security control families.\n\nThe FISMA evaluation framework\n                                         Table 19: Security Control Classes and Families\nconsists of assessing the program              Security                            Security Control Family\ncontrol class on an agency-wide basis       Control Class\nand assessing management,                  Program               Information Security Governance/Performance\noperational, and technical control                               Measures\nclasses on a sample of systems. The                              Enterprise Architecture\nassessment of control families                                   Capital Planning*\nleverages the results of testing of a      Management            Risk Assessment\nselection of the control objectives that                         Planning\nmake up the control family. We                                   System and Services Acquisition*\nselected systems, control families, and                          Certification, Accreditation, and Security Assessments\nindividual controls for testing based on   Operational           Personnel Security\nhow important the system is to the\n                                                                 Physical and Environmental Protection\nFDIC, the control family is to the\n                                                                 Contingency Planning\nsystem, and the control is to the\n                                                                 Configuration Management\ncontrol family. We considered risk,\n                                                                 Maintenance\ncosts, results of internal and external\n                                                                 System and Information Integrity\nreviews, government-wide and FDIC\n                                                                 Media Protection\ninitiatives and goals, the maturity of\n                                                                 Incident Response\nthe security program, and other factors\nin selecting our samples. For FY                                 Awareness and Training\n\n2007, the evaluated information            Technical             Identification and Authentication\n\nsystems included the Windows                                     Access Control\nServers and Personal Systems GSS.                                Audit and Accountability\nThe Personal Systems GSS includes                                System    and Communications Protection*\n                                         Source: KPMG analysis of NIST guidance.\nthe FDIC\xe2\x80\x99s Windows XP desktop, and       *This control family was not included in the FY2007 FISMA evaluations of the FDIC\xe2\x80\x99s\nthe Windows Servers GSS includes                information security program.\n\nWindows NT/2000/2003 server operating systems.\n\n\n\n49\n     GAO Executive Guide, Information Security Management: Learning From Leading Organizations; and OMB\n     A-130, Appendix III; NIST SP 800-14; SP 800-12; and SP 800-53.\n\n                                                                                                                       Page 38\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007             Appendix I\n\nLaws and Regulations\n\nThe references listed below represent the laws and regulations that were considered in the performance of\nour audit. Some of the references are statutes and regulatory sources, whose provisions may or may not\nbe legally binding on the FDIC; see individual references for further information. Statutory and\nregulatory sources that are not binding on the FDIC can provide statements of prudent business practices.\nThe Internet sites and the various references below are subject to change.\n\nFederal Statutes\n\nFederal Information Security Management Act (FISMA) of 2002 (title III, E-Government Act of\n2002), Pub. L. No. 107-347, dated December 17, 2002.\nhttp://csrc.nist.gov/policies/FISMA-final.pdf\n\nThis Act requires federal agencies, including the FDIC, to develop, document, and implement an agency-\nwide information security program that provides security for the information and systems that support the\noperations and assets of the agency, including those provided or managed by another agency, contractor,\nor other source. FISMA directs agencies to have an annual independent evaluation performed of their\ninformation security program and practices and to report the results of the evaluation to OMB.\n\nFederal Managers\xe2\x80\x99 Financial Integrity Act of 1982, Pub. L. No. 97-255, dated September 8, 1982.\nhttp://www.whitehouse.gov/omb/financial/fmfia1982.html\n\nThe FDIC has determined that portions of the FMFIA are applicable to the FDIC by reference in the\nChief Financial Officers Act. In general, the goals of FMFIA are that agency obligations and costs\ncomply with applicable law; assets are guarded against waste and loss; and revenue and expenditures are\nproperly accounted for, so that reliable financial statements can be prepared.\n\nGovernment Performance and Results Act of 1993, Pub. L. No. 103-62, dated August 3, 1993.\nhttp://www.sc.doe.gov/bes/archives/plans/GPRA_PL103-62_03AUG93.pdf\n\nThe Act requires most federal agencies, including the FDIC, to develop a strategic plan that broadly\ndefines the agency\'s mission and vision, an annual performance plan that translates the vision and goals of\nthe strategic plan into measurable objectives, and an annual performance report that compares actual\nresults against planned goals.\n\nThe Chief Financial Officers (CFO) Act of 1990, Pub. L. No. 101-576, dated November 15, 1990.\nhttp://www.acq.osd.mil/me/pdfs/CFOA.pdf\n\nThis Act requires government corporations, such as the FDIC, to prepare annual management reports\ncontaining statements regarding the corporation\xe2\x80\x99s internal control systems, consistent with FMFIA.\n\nThe Privacy Act of 1974, Pub. L. 93-579, dated Dec. 31, 1974.\nhttp://www.usdoj.gov/oip/privstat.htm\n\nThe Act, which is applicable to the FDIC, requires agencies to have appropriate administrative, technical,\nand physical safeguards over the security and confidentiality of agency records.\n\n\n\n                                                                                                    Page 39\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007             Appendix I\n\nRegulation and Presidential Directive\n\n5 Code of Federal Regulations Part 930, Subpart C, Information Security Responsibilities for\nEmployees Who Manage or Use Federal Information Systems, dated June 14, 2004.\nhttp://csrc.nist.gov/policies/OPM-June2004-updated-sectrainaware.html\n\nThese regulations require agencies, including the FDIC, to develop plans for security awareness and\ntraining with respect to federal information systems, including role-specific training.\n\nHomeland Security Presidential Directive\xe2\x80\x9312, Policy for a Common Identification Standard for\nFederal Employees and Contractors, dated August 27, 2004.\nhttp://www.whitehouse.gov/news/releases/2004/08/20040827-8.html\n\nThis presidential directive requires agencies to develop and implement a mandatory, government-wide\nstandard for secure and reliable forms of identification. According to OMB guidance for implementing\nHSPD-12, government corporations are encouraged to comply with the directive. The FDIC is\nvoluntarily complying with this directive.\n\nOMB Circulars\n\nOMB Circular No. A-123, Management Responsibility for Internal Control, dated December 21,\n2004.\nhttp://www.whitehouse.gov/omb/circulars/a123/a123_rev.pdf\n\nThis circular, which implements FMFIA, sets forth the requirements for agency evaluation of and\nreporting on internal controls as well as reporting on financial management systems. The FDIC has\ndetermined that this circular is applicable to the FDIC; specifically, as long as the FDIC\xe2\x80\x99s internal\ncontrols are consistent with the goals of the FMFIA, the FDIC will have met its obligations under this\ncircular.\n\nOMB Circular No. A-127, Financial Management Systems, dated July 23, 1993, as revised.\nhttp://www.whitehouse.gov/omb/circulars/a127/a127.html\n\nThis circular prescribes policies for agencies to follow in developing, evaluating and reporting on their\nfinancial management systems. The FDIC has determined that to the extent that the Circular articulates\nFMFIA\xe2\x80\x99s standards, the FDIC should adhere to those standards.\n\nOMB Circular No. A-130, Management of Federal Information Resources, Appendix III, Security of\nFederal Automated Information Resources, dated November 28, 2000.\nhttp://www.whitehouse.gov/omb/circulars/a130/a130trans4.pdf\n\nThis appendix establishes a minimum set of controls to be included in federal information security\nprograms. Most of its provisions are applicable to the FDIC.\n\nOMB Security-Related Memoranda\nThe following documents can be found at http://www.whitehouse.gov/omb/memoranda.\n\n\n\n\n                                                                                                     Page 40\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007           Appendix I\n\nM-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002,\ndated September 26, 2003.\n\nThis memorandum implements section 208 of the E-Government Act, which applies to the FDIC.\nAccordingly, it addresses requirements for agency privacy impact analyses and website disclosures.\n\nM-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12\xe2\x80\x94Policy for a\nCommon Identification Standard for Federal Employees and Contractors, dated August 5, 2005.\n\nThis memorandum provides implementing instructions for HSPD-12. According to the memorandum,\ngovernment corporations are encouraged to comply with HSPD-12.\n\nM-06-15, Safeguarding Personally Identifiable Information, dated May 22, 2006.\n\nThis memorandum describes agency responsibility for safeguarding PII and requires reviews of related\npolicies and procedures. The FDIC\xe2\x80\x99s intent is to comply with this memorandum or take it under\nconsideration.\n\nM-06-16, Protection of Sensitive Agency Information, dated June 23, 2006.\n\nThis memorandum describes protection for agency remote or mobile systems and the need for logging\ncertain data extracts. The FDIC\xe2\x80\x99s intent is to comply with this memorandum or take it under\nconsideration.\n\nM-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the\nCost for Security in Agency Information Technology Investments, dated July 12, 2006.\n\nThis memorandum requires agencies to report computer incidents to a central federal incident-reporting\ncenter. The FDIC\xe2\x80\x99s intent is to comply with this memorandum or take it under consideration.\n\nM-07-11, Implementation of Commonly Accepted Security Configurations for Windows Operating\nSystems, dated March 22, 2007.\n\nAgencies that upgrade their Windows operating systems are to adopt certain interagency security\nconfigurations. The FDIC determined that while OMB has power to require that the FDIC develop\npolicies and provide security protections, OMB cannot compel the FDIC to take specific actions of\nOMB\xe2\x80\x99s choosing.\n\nM-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information,\ndated May 22, 2007.\n\nAgencies are required to develop a breach (unauthorized access) notification policy to implement other\ncontrols to protect PII. The FDIC is voluntarily complying with this memorandum.\n\nM-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management, dated July 25, 2007.\n\nThe FDIC\xe2\x80\x99s practice is to comply with OMB\xe2\x80\x99s FISMA instructions.\n\n\n                                                                                                    Page 41\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007             Appendix I\n\nSelected NIST Federal Information Processing Standards (FIPS)\n\nNIST FIPS PUB 199, Standards for Security Categorization of Federal Information and Information\nSystems, February 2004.\nhttp://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf\n\nThis publication contains standards for security characterizations of federal information and information\nsystems, as required by FISMA. The publication seeks to promote effective management and oversight\nof information security programs. Because the FDIC is not an executive agency for purposes of the\npublication, this publication is not legally applicable to the FDIC, but the FDIC follows its principles.\n\nNIST FIPS PUB 200, Minimum Security Requirements for Federal Information and Information\nSystems, dated March 2006.\nhttp://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf\n\nThis publication specifies minimum security requirements for federal information systems in 17 security-\nrelated areas. The FDIC considers these requirements as reasonable best practices that the FDIC should\nseek to follow.\n\nNIST FIPS PUB 201, Personal Identity Verification (PIV) of Federal Employees and Contractors,\ndated March 2006.\nhttp://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf\n\nThis publication implements HSPD-12. The FDIC is voluntarily complying with FIPS PUB 201.\n\nSelected NIST Special Publications\n\nIn general, these NIST SPs are, by their own terms, guidelines (rather than mandatory requirements) for\nagencies in implementing their IT operations. The following documents may be found at:\nhttp://csrc.nist.gov/publications/nistpubs/.\n\nSP 800-12, An Introduction to Computer Security: The NIST Handbook\nSP 800-18, Rev. 1, Guide for Developing Security Plans for Information Technology Systems\nSP 800-30, Risk Management Guide for Information Technology Systems\nSP 800-34, Contingency Planning Guide for Information Technology Systems\nSP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems\nSP 800-40, Version 2, Procedures for Handling Security Patches\nSP 800-46, Version 2 (Draft), User\xe2\x80\x99s Guide to Securing External Devices for Telework and Remote\nAccess\nSP 800-47, Security Guide for Interconnecting Information Technology Systems\nSP 800-50, Building an Information Technology Security Awareness and Training Program\nSP 800-53 Rev. 1, Recommended Security Controls for Information Systems\nSP 800-53A (Draft June 2007), Guide for Assessing the Security Controls in Federal Information\nSystems\nSP 800-55, Security Metrics Guide for Information Technology Systems\nSP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories\nSP 800-61, Computer Security Incident Handling Guide\nSP 800-63, Electronic Authentication Guideline\nSP 800-64, Security Considerations in the Information System Development Life Cycle\n\n\n                                                                                                   Page 42\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007      Appendix I\n\nSP 800-65, Integrating Security into the Capital Planning and Investment Control Process\nSP 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST\nSecurity Configuration Checklist\nSP 800-70, Security Configurations Checklists Program for IT Products: Guidance for Checklists\nUsers and Developers\nSP 800-100, Information Security Handbook: A Guide for Managers\n\n\n\n\n                                                                                            Page 43\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007             Appendix II\n\nAPPENDIX II \xe2\x80\x93 STATUS OF OIG\xe2\x80\x99S FY2006 FISMA KEY STEPS\n\n            Key Steps To Improve Information Security                          Action           Action in\n                                                                              Completed         Progress\nCertification and Accreditation:\n1) Continue to place priority attention on certifying and accrediting the         9\nFDIC\xe2\x80\x99s non-major application systems that process sensitive data.\nAudit and Accountability:\n2) Develop a risk-based, enterprise-wide approach for (a) monitoring\n                                                                                                    9\nuser access privileges in information systems and (b) generating and\nreviewing audit logs for the FDIC\xe2\x80\x99s inventory of information systems.\nOMB Privacy:\n3) Ensure that all sensitive data stored on mobile FDIC computing\n                                                                                                    9\ndevices is encrypted consistent with OMB\xe2\x80\x99s June 23, 2006\nmemorandum, Protection of Sensitive Agency Information.\nInformation Security Governance:\n4) Complete the FDIC\xe2\x80\x99s information security risk management\nprogram methodology by defining procedures for performing                         9\n(a) continuous monitoring of system security controls after accreditation\nand (b) contingency planning for systems.\nEnterprise Architecture:\n5) Define more fully the FDIC\xe2\x80\x99s information security standards, and                                 9\nintegrate these standards into the Corporation\xe2\x80\x99s EA.\nEnterprise Architecture:\n6) Enhance the FDIC\xe2\x80\x99s inventory of information systems by:\n (a) identifying systems used or operated by contractors and other\norganizations on behalf of the FDIC; (b) including interfaces between              9                 9\neach system in the inventory and all other systems and networks,\n                                                                              (a) and (c)           (b)\nincluding those not operated by, or under the control of, the FDIC; and\n(c) leveraging the EA to centrally manage, track, and report risk-\nmanagement-related information, such as system categorization and test\nand authorization dates.\nSystem and Information Integrity:\n7) Strengthen oversight of contractors with access to sensitive\ninformation and systems by ensuring that (a) contractor IT equipment\nconnected to the FDIC\xe2\x80\x99s network is routinely scanned for security                 9\nvulnerabilities and the results are addressed in a timely manner, and\n(b) confidentiality agreements are executed in accordance with FDIC\npolicy.\nConfiguration Management:\n8) Strengthen change-control procedures related to mainframe system\n                                                                                  9\nsoftware to ensure that system software programs are formally\ndocumented and that changes are formally controlled and approved.\nCapital Planning:                                                           The FDIC did not agree with the\n9) Improve the FDIC\xe2\x80\x99s information security cost-management practices               OIG\xe2\x80\x99s key step.\nin order to facilitate resource and investment decisions.\n\n\n\n\n                                                                                                    Page 44\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007           Appendix III\n\nAPPENDIX III \xe2\x80\x93 SUMMARY OF CONTROLS TESTED\n\nThe table below lists the security controls selected for testing from NIST SP 800-53 Rev. 1,\nRecommended Security Controls for Federal Information Systems, dated December 2006. KPMG\nperformed testing on a sample of controls identified in the \xe2\x80\x9cControls Tested FY 2007\xe2\x80\x9d column. KPMG\nselected security controls for testing based on the risk and applicability to the FDIC\xe2\x80\x99s common controls,\nWindows Servers GSSs, and remote access environments. KPMG considered the control objective\xe2\x80\x99s\nrated requirement (low, moderate, or high), when selecting the security control for testing. In many\ninstances, a security control either did not apply to the information systems selected for testing or was\napplicable only for information with a high FIPS 199 impact rating. None of information systems KPMG\nevaluated had a high FIPS 199 impact rating.\n\n                         NIST SP 800-53 Rev. 1 Control                          Controls    Controls\n                                                                               Tested FY   Tested FY\n                                                                                 2006        2007\n         Family            No.                         Name\n                                      Management Control Class\n    Risk Assessment      RA-1     Risk Assessment Policy and Procedures           9            9\n    (RA)\n                         RA-2     Security Categorization                         9            9\n                         RA-3     Risk Assessment                                 9            9\n                         RA-4     Risk Assessment Update                          9            9\n                         RA-5     Vulnerability Scanning                          9            9\n    Planning (PL)        PL-1     Security Planning Policy and Procedures         9            9\n                         PL-2     System Security Plan                                         9\n                         PL-3     System Security Plan Update                                  9\n                         PL-4     Rules of Behavior                               9\n                         PL-5     Privacy Impact Assessment                       9            9\n                         PL-6     Security-Related Activity Planning\n    System and           SA-1     System and Services Acquisition Policy and      9            9\n    Services                      Procedures\n    Acquisition (SA)     SA-2     Allocation of Resources\n                         SA-3     Life Cycle Support                                           9\n                         SA-4     Acquisitions                                                 9\n                         SA-5     Information System Documentation                             9\n                         SA-6     Software Usage Restrictions                     9            9\n                         SA-7     User Installed Software                         9\n                         SA-8     Security Engineering Principles\n                         SA-9     External Information System Services\n                         SA-10    Developer Configuration Management\n                         SA-11    Developer Security Testing\n    Certification,       CA-1     Certification, Accreditation, and Security      9            9\n    Accreditation, and            Assessment Policies and Procedures\n\n\n\n                                                                                                   Page 45\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007      Appendix III\n\n                      NIST SP 800-53 Rev. 1 Control                        Controls    Controls\n                                                                          Tested FY   Tested FY\n                                                                            2006        2007\n        Family          No.                         Name\n   Security           CA-2     Security Assessments                          9\n   Assessments (CA)\n                      CA-3     Information System Connections                9\n                      CA-4     Security Certification                        9            9\n                      CA-5     Plan of Action and Milestones                 9            9\n                      CA-6     Security Accreditation                        9            9\n                      CA-7     Continuous Monitoring                                      9\n                                   Operational Control Class\n   Physical and       PE-1     Physical and Environmental Protection         9            9\n   Environmental               Policy and Procedures\n   Protection (PE)    PE-2     Physical Access Authorizations                9            9\n                      PE-3     Physical Access Control                       9            9\n                      PE-4     Access Control for Transmission Medium\n                      PE-5     Access Control for Display Medium\n                      PE-6     Monitoring Physical Access                    9            9\n                      PE-7     Visitor Control                               9            9\n                      PE-8     Access Records                                9            9\n                      PE-9     Power Equipment and Power Cabling             9\n                      PE-10    Emergency Shutoff                             9\n                      PE-11    Emergency Power                               9\n                      PE-12    Emergency Lighting                            9\n                      PE-13    Fire Protection                               9\n                      PE-14    Temperature and Humidity Controls             9\n                      PE-15    Water Damage Protection                       9\n                      PE-16    Delivery and Removal\n                      PE-17    Alternate Work Site                           9\n                      PE-18    Location of Information System\n                               Components\n                      PE-19    Information Leakage\n   Personnel          PS-1     Personnel Security Policy and Procedures      9            9\n   Security (PS)\n                      PS-2     Position Categorization                       9            9\n                      PS-3     Personnel Screening                           9            9\n                      PS-4     Personnel Termination                         9            9\n                      PS-5     Personnel Transfer                            9            9\n                      PS-6     Access Agreements                             9            9\n                      PS-7     Third-Party Personnel Security                9            9\n                      PS-8     Personnel Sanctions\n\n\n                                                                                              Page 46\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007      Appendix III\n\n                      NIST SP 800-53 Rev. 1 Control                        Controls    Controls\n                                                                          Tested FY   Tested FY\n                                                                            2006        2007\n         Family         No.                          Name\n   Contingency        CP-1     Contingency Planning Policy and               9            9\n   Planning (CP)               Procedures\n                      CP-2     Contingency Plan                              9            9\n                      CP-3     Contingency Training                          9            9\n                      CP-4     Contingency Plan Testing and Exercises        9            9\n                      CP-5     Contingency Plan Update                       9            9\n                      CP-6     Alternate Storage Sites                       9            9\n                      CP-7     Alternate Processing Sites                    9            9\n                      CP-8     Telecommunications Services                   9            9\n                      CP-9     Information System Backup                     9            9\n                      CP-10    Information System Recovery and                           9\n                               Reconstitution\n   Configuration      CM-1     Configuration Management Policy and           9            9\n   Management                  Procedures\n   (CM)               CM-2     Baseline Configuration                        9            9\n                      CM-3     Configuration Change Control                  9            9\n                      CM-4     Monitoring Configuration Changes              9\n                      CM-5     Access Restrictions for Change                9            9\n                      CM-6     Configuration Settings                        9            9\n                      CM-7     Least Functionality                           9            9\n                      CM-8     Information System Component Inventory                     9\n   Maintenance        MA-1     System Maintenance Policy and Procedures      9            9\n   (MA)\n                      MA-2     Controlled Maintenance                        9            9\n                      MA-3     Maintenance Tools\n                      MA-4     Remote Maintenance\n                      MA-5     Maintenance Personnel\n                      MA-6     Timely Maintenance\n   System and         SI-1     System and Information Integrity Policy       9            9\n   Information                 and Procedures\n   Integrity (SI)\n                      SI-2     Flaw Remediation                              9            9\n                      SI-3     Malicious Code Protection                     9            9\n                      SI-4     Information System Monitoring Tools and       9            9\n                               Techniques\n                      SI-5     Security Alerts and Advisories                9\n                      SI-6     Security Functionality Verification\n                      SI-7     Software and Information Integrity\n                      SI-8     Spam Protection                               9\n\n\n                                                                                              Page 47\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007            Appendix III\n\n                        NIST SP 800-53 Rev. 1 Control                            Controls    Controls\n                                                                                Tested FY   Tested FY\n                                                                                  2006        2007\n        Family            No.                         Name\n                        SI-9     Information Input Restrictions\n                        SI-10    Information Accuracy, Completeness,\n                                 Validity, and Authenticity\n                        SI-11    Error Handling\n                        SI-12    Information Output Handling and Retention\n   Media Protection     MP-1     Media Protection Policy and Procedures            9            9\n   (MP)\n                        MP-2     Media Access                                      9\n                        MP-3     Media Labeling                                                 9\n                        MP-4     Media Storage                                     9            9\n                        MP-5     Media Transport                                   9\n                        MP-6     Media Sanitization and Disposal                   9\n   Incident Response    IR-1     Incident Response Policy and Procedures           9            9\n   (IR)\n                        IR-2     Incident Response Training                        9\n                        IR-3     Incident Response Testing and Exercises\n                        IR-4     Incident Handling                                 9            9\n                        IR-5     Incident Monitoring                               9\n                        IR-6     Incident Reporting                                9            9\n                        IR-7     Incident Response Assistance                      9\n   Awareness and        AT-1     Security Awareness and Training Policy            9            9\n   Training (AT)                 and Procedures\n                        AT-2     Security Awareness                                9            9\n                        AT-3     Security Training                                 9            9\n                        AT-4     Security Training Records                                      9\n                        AT-5     Contacts with Security Groups and\n                                 Associations\n                                      Technical Control Class\n   Identification and   IA-1     Identification and Authentication Policy and      9            9\n   Authentication                Procedures\n   (IA)                 IA-2     User Identification and Authentication            9            9\n                        IA-3     Device Identification and Authentication\n                        IA-4     Identifier Management                             9            9\n                        IA-5     Authenticator Management                          9\n                        IA-6     Authenticator Feedback                            9            9\n                        IA-7     Cryptographic Module Authentication\n   Access Control       AC-1     Access Control Policy and Procedures              9            9\n   (AC)\n                        AC-2     Account Management                                9            9\n\n\n\n                                                                                                    Page 48\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007         Appendix III\n\n                      NIST SP 800-53 Rev. 1 Control                           Controls    Controls\n                                                                             Tested FY   Tested FY\n                                                                               2006        2007\n        Family          No.                       Name\n                      AC-3     Access Enforcement                               9            9\n                      AC-4     Information Flow Enforcement\n                      AC-5     Separation of Duties                                          9\n                      AC-6     Least Privilege                                  9            9\n                      AC-7     Unsuccessful Login Attempts                      9            9\n                      AC-8     System Use Notification                          9            9\n                      AC-9     Previous Logon Notification\n                      AC-10    Concurrent Session Control\n                      AC-11    Session Lock                                     9\n                      AC-12    Session Termination                              9            9\n                      AC-13    Supervision and Review \xe2\x80\x93 Access Control                       9\n                      AC-14    Permitted Actions without Identification or      9\n                               Authentication\n                      AC-15    Automated Marking\n                      AC-16    Automated Labeling\n                      AC-17    Remote Access                                    9            9\n                      AC-18    Wireless Access Restrictions\n                      AC-19    Access Control for Portable and Mobile                        9\n                               Systems\n                      AC-20    Use of External Information System                            9\n   Audit and          AU-1     Audit and Accountability Policy and              9            9\n   Accountability              Procedures\n   (AU)               AU-2     Auditable Events                                 9            9\n                      AU-3     Content of Audit Records                         9            9\n                      AU-4     Audit Storage Capacity                           9            9\n                      AU-5     Response to Audit Processing Failures            9            9\n                      AU-6     Audit Monitoring, Analysis, and Reporting        9            9\n                      AU-7     Audit Reduction and Report Generation\n                      AU-8     Time Stamps                                      9            9\n                      AU-9     Protection of Audit Information                  9            9\n                      AU-10    Non-repudiation                                               9\n                      AU-11    Audit Record Retention                           9\n   System and         SC-1     System and Communications Protection             9            9\n   Communications              Policy and Procedures\n   Protection (SC)    SC-2     Application Partitioning                                      9\n                      SC-3     Security Function Isolation\n\n\n\n                                                                                                 Page 49\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007    Appendix III\n\n                      NIST SP 800-53 Rev. 1 Control                      Controls    Controls\n                                                                        Tested FY   Tested FY\n                                                                          2006        2007\n        Family          No.                        Name\n                      SC-4     Information Remnants\n                      SC-5     Denial of Service Protection\n                      SC-6     Resource Priority\n                      SC-7     Boundary Protection                                      9\n                      SC-8     Transmission Integrity\n                      SC-9     Transmission Confidentiality                 9           9\n                      SC-10    Network Disconnect\n                      SC-11    Trusted Path\n                      SC-12    Cryptographic Key Establishment and\n                               Management\n\n                      SC-13    Use of Cryptography\n                      SC-14    Public Access Protections\n                      SC-15    Collaborative Computing\n                      SC-16    Transmission of Security Parameters\n                      SC-17    Public Key Infrastructure Certificates\n                      SC-18    Mobile Code                                              9\n                      SC-19    Voice Over Internet Protocol\n                      SC-20    Secure Name/Address Resolution Service\n                               (Authoritative Source)\n                      SC-21    Secure Name/Address Resolution Service\n                               (Recursive or Caching Resolver)\n                      SC-22    Architecture and Provisioning for\n                               Name/Address Resolution Service\n                      SC-23    Session Authenticity\n\n\n\n\n                                                                                            Page 50\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007                                                                                                                                 Appendix IV\n\nAPPENDIX IV \xe2\x80\x93 OMB SECURITY QUESTIONS\n\n                                                                               Section C- Inspector General: Questions 1 and 2\nAgency Name: Federal Deposit Insurance Corporation (FDIC)                                                                                                                 Submission Date: 9/26/07\n                                                                                             Question 1: FISMA System Inventory\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high, moderate, low, or not\ncategorized). Extend the worksheet onto subsequent pages if necessary to include all Component/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other organization on behalf of\nan agency. The total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet the\nrequirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n                                                  -             Question 2: Certification and Accreditation, Security Control Testing, and Contingency Plan Testing\n\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems which have: a current\ncertification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy.\n\n                                                                                Question 1                                                                                Question 2\n                                                  a.                              b.                            c.                          a.                            b.                               c.\n                                            Agency Systems                Contractor Systems             Total Number of            Number of systems           Number of systems for            Number of systems for\n                                                                                                       Systems (Agency and            certified and             which security controls         which contingency plans\n                                                                                                        Contractor systems)            accredited                have been tested and              have been tested in\n                                                                                                                                                               reviewed in the past year         accordance with policy\n                                                                                                                      Total\n                     FIPS 199 Risk                      Number                         Number          Total         Number          Total        Percent         Total         Percent of        Total          Percent of\nBureau Name          Impact Level        Number        Reviewed          Number       Reviewed        Number        Reviewed        Number        of Total       Number           Total          Number            Total\n\n\n\nFDIC                High                     0              0              0                 0           0              0              0            N/A             0              N/A               0              N/A\n\n\n\n                    Moderate                16              2              0                 0          16              2              2           100%             2             100%               2             100%\n\n\n\n                    Low                      0              0              0                 0           0              0              0            N/A             0              N/A               0              N/A\n\n\n\n                    Not Categorized          0              0              0                 0           0              0              0            0%              0              0%                0              0%\n\n\n\n                    Total                   16              2              0                 0          16              2              2           100%             2             100%               2             100%\n\n\n\n                                                                                                                                                                                                                   Page 51\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007                                                                                                                         Appendix IV\n                                                                              Section C- Inspector General: Questions 3\nAgency Name: Federal Deposit Insurance Corporation (FDIC)                                                                                                           Submission Date: 9/26/07\n                                                Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n      3.a.\n                  The agency performs oversight and evaluation to ensure information systems\n                  used or operated by a contractor of the agency or other organization on behalf of\n                  the agency meet the requirements of FISMA, OMB policy and NIST guidelines,\n                  national security policy, and agency policy.\n\n                  Agencies are responsible for ensuring the security of information systems used by a\n                  contractor of their agency or other organization on behalf of their agency; therefore, self\n                  reporting by contractors does not meet the requirements of law. Self-reporting by\n                  another Federal agency, for example, a Federal service provider, may be sufficient.              - Frequently, for example, approximately 71-80% of the time\n                  Agencies and service providers have a shared responsibility for FISMA compliance.\n\n                  Response Categories:\n                       - Rarely, for example, approximately 0-50% of the time\n                       - Sometimes, for example, approximately 51-70% of the time\n                       - Frequently, for example, approximately 71-80% of the time\n                       - Mostly, for example, approximately 81-95% of the time\n                       - Almost Always, for example, approximately 96-100% of the time\n\n\n\n     3.b.         The agency has developed an inventory of major information systems (including\n                  major national security systems) operated by or under the control of such agency,\n                  including an identification of the interfaces between each such system and all\n                  other systems or networks, including those not operated by or under the control of\n                  the agency.\n                                                                                                                   - The inventory is approximately 71-80% complete\n                  Response Categories:\n                       - The inventory is approximately 0-50% complete\n                       - The inventory is approximately 51-70% complete\n                       - The inventory is approximately 71-80% complete\n                       - The inventory is approximately 81-95% complete\n                       - The inventory is approximately 96-100% complete\n\n                  Comments: Based on KPMG\xe2\x80\x99s review of the system inventory, the number of system interfaces could not be verified because the system inventory does not identify system interfaces between\n                  each system and all other systems or networks, including those not operated by, or under, the control of the agency. The FDIC does include this information on an Application Security Assessment\n                  (ASA). However, KPMG noted that ASAs containing this interfacing information have not been completed for all applications.\n                  The IG generally agrees with the CIO on the number of agency-owned systems.\n      3.c.                                                                                                                                                     Yes\n                  Yes or No.\n                  The IG generally agrees with the CIO on the number of information systems used\n     3.d.         or operated by a contractor of the agency or other organization on behalf of the                                                             Yes\n                  agency. Yes or No.\n      3.e.        The agency inventory is maintained and updated at least annually. Yes or No.                                                                Yes\n\n\n\n\n                                                                                                                                                                                                           Page 52\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007                                                                                                       Appendix IV\n             If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please identify the known missing systems by Component/Bureau, the Unique Project Identifier (UPI)\n             associated with the system as presented in your FY2008 Exhibit 53 (if known), and indicate if the system is an agency or contractor system.\n\n\n                                                                                                                                 Exhibit 53 Unique Project           Agency or\n                                      Component/Bureau                                     System Name\n                                                                                                                                      Identifier (UPI)           Contractor system?\n    3.f.\n                      Division of Administration (DOA)                    PEGASYS                                                     Not Applicable                   Agency\n\n\n                      Number of known systems missing from\n                                                                            1\n                      inventory:\n\n\n\n\n                                                                                                                                                                                       Page 53\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007                                                                                                                            Appendix IV\n\n                                                                                Section C- Inspector General: Question 4\nAgency Name: Federal Deposit Insurance Corporation (FDIC)                                                                                                              Submission Date: 9/26/07\n                                                          Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process. Evaluate the degree to which each statement reflects the\nstatus in your agency by choosing from the responses provided. If appropriate or necessary, include comments in the area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n\n\n                              The POA&M is an agency-wide process, incorporating all known IT security weaknesses\n           4.a.               associated with information systems used or operated by the agency or by a contractor of the            - Frequently- for example, approximately 71-80% of the time\n                              agency or other organization on behalf of the agency.\n\n\n\n                              When an IT security weakness is identified, program officials (including CIOs, if they own or operate\n           4.b.                                                                                                                       - Mostly- for example, approximately 81-95% of the time\n                              a system) develop, implement, and manage POA&Ms for their system(s).\n\n\n\n                              Program officials and contractors report their progress on security weakness remediation to the CIO\n           4.c.                                                                                                                       - Almost Always, for example, approximately 96-100% of the time\n                              on a regular basis (at least quarterly).\n\n\n\n           4.d.               Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.     - Almost Always, for example, approximately 96-100% of the time\n\n\n\n           4.e.               IG findings are incorporated into the POA&M process.                                                    - Frequently- for example, approximately 71-80% of the time\n\n\n\n                              POA&M process prioritizes IT security weaknesses to help ensure significant IT security\n           4.f.                                                                                                                       - Almost Always, for example, approximately 96-100% of the time\n                              weaknesses are addressed in a timely manner and receive appropriate resources.\n\n\nPOA&M process comments: Although the FDIC has developed policy and guidelines for preparing and managing system-level POA&Ms, the FDIC needed to modify its POA&M procedures to ensure that system-level\nPOA&Ms either reflect consolidation of, or are accompanied by, other FDIC plans to correct all relevant IT security weaknesses, including weaknesses identified in GAO and FDIC OIG reports and any other IT security\nreview. C&A guidelines provide that ST&E weaknesses are included in system-level POA&Ms. In addition, the FDIC tracks system-level security weaknesses in a number of standalone spreadsheets and databases\nbased on how the weakness is identified. For example, system-level security weaknesses identified by the GAO, OIG, or internal FDIC reviews are managed in the FDIC\xe2\x80\x99s IRIS; where as system-level security\nweaknesses identified by ST&Es are managed in system-level POA&Ms. DIT can better integrate its management of security weaknesses by developing system-level POA&Ms that include all relevant security\nweaknesses, either through consolidation of other documents used to identify and track weaknesses or as a POA&M attachment. At the close of KPMG\xe2\x80\x99s fieldwork, DIT began including all IT security weaknesses on\nsystem-level POA&Ms.\n\n\n\n\n                                                                                                                                                                                                              Page 54\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007                                                                                                                                  Appendix IV\n                                                                                  Section C- Inspector General: Questions 5\nAgency Name: Federal Deposit Insurance Corporation (FDIC)                                                                                                                  Submission Date: 9/26/07\n                                                                       Question 5: IG Assessment of the Certification and Accreditation Process\n\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including adherence to existing policy, guidance, and standards. Provide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for certification and accreditation work initiated after May 2004.\nThis includes use of the FIPS 199, "Standards for Security Categorization of Federal Information and Information Systems" (February 2004) to determine a system impact level, as well as associated NIST document\nused as guidance for completing risk assessments and security plans.\n\n\n                               The IG rates the overall quality of the Agency\'s certification and accreditation process as:\n\n                               Response Categories:\n                                    - Excellent\n           5.a.                                                                                                                         - Satisfactory\n                                    - Good\n                                    - Satisfactory\n                                    - Poor\n                                    - Failing\n\n                                                                                                                                       Security plan\n                                                                                                                                                                                                             X\n\n\n                                                                                                                                       System impact level                                                   X\n\n\n                                                                                                                                       System test and evaluation                                            X\n\n\n                                                                                                                                       Security control testing                                              X\n                               The IG\'s quality rating included or considered the following aspects of the C&A process: (check all\n           5.b.\n                               that apply)\n                                                                                                                                       Incident handling                                                     X\n\n\n                                                                                                                                       Security awareness training                                           X\n\n\n                                                                                                                                       Configurations/patching                                               X\n\n\n                                                                                                                                       Other:\n\n\nC&A process comments: The FDIC established a C&A program consisting of policies, procedures, and guidelines; key personnel, such as a Certification Agent and Authorizing Official; an independent ST&E process;\nand POA&Ms for tracking and remediating security weaknesses. The FDIC has fully certified and accredited all of its major information systems, including GSSs and major applications, consistent with NIST security\nstandards and guidelines. In addition, the FDIC revised its information security risk management methodology in June 2006 to achieve cost efficiencies in its C&A processes by consolidating its minor information\nsystems that process sensitive data through an aggregation process. While these accomplishments are significant, KPMG and OIG testing of security controls during FY 2007 noted control weaknesses in GSSs, that\nrecently completed the C&A process. More-thorough testing during the ST&E phase or through enhanced Continuous Monitoring activities of these GSSs likely would have identified these control deficiencies. Thus,\nKPMG has rated the FDIC\xe2\x80\x99s C&A processes as \xe2\x80\x9cSatisfactory.\xe2\x80\x9d\n\n\n\n\n                                                                                                                                                                                                                    Page 55\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007                                                                                                                       Appendix IV\n                                                                       Section C- Inspector General: Questions 6 and 7\nAgency Name: Federal Deposit Insurance Corporation (FDIC)                                                                                                        Submission Date: 9/26/07\n                                                 Question 6: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n\n                          Provide a qualitative assessment of the agency\'s Privacy Impact Assessment (PIA)\n                          process, as discussed in Section D II.4 (SAOP reporting template), including adherence\n                          to existing policy, guidance, and standards.\n\n                          Response Categories:\n          6.a.                                                                                                            - Satisfactory\n                           - Excellent\n                           - Good\n                           - Satisfactory\n                           - Poor\n                           - Failing\n\n                          Comments: The FDIC OIG has prepared a report AUD-07-013, entitled, Response to Privacy Program Information Request in OMB\xe2\x80\x99s Fiscal Year 2007 Reporting Instructions for FISMA\n                          and Agency Privacy Management, scheduled for issuance on September 26, 2007. Please refer to this public report for additional information regarding the FDIC\xe2\x80\x99s privacy program.\n\n                          Provide a qualitative assessment of the agency\'s progress to date in implementing the\n                          provisions of M-06-15, "Safeguarding Personally Identifiable Information" since the\n                          most recent self-review, including the agency\'s policies and processes, and the\n                          administrative, technical, and physical means used to control and protect personally\n                          identifiable information (PII).\n\n          6.b.            Response Categories:                                                                            - Satisfactory\n                           - Response Categories:\n                           - Excellent\n                           - Good\n                           - Satisfactory\n                           - Poor\n                           - Failing\n\n                          Comments: The FDIC OIG has prepared a separate report AUD-07-013, titled Response to Privacy Program Information Request in OMB\xe2\x80\x99s Fiscal Year 2007 Reporting Instructions for\n                          FISMA and Agency Privacy Management, scheduled for issuance on September 26, 2007. Please refer to this public report for additional information regarding the FDIC\xe2\x80\x99s Privacy\n                          Program.\n                                                                              Question 7: Configuration Management\n          7.a.              Is there an agency wide security configuration policy? Yes or No.                                                                       Yes\n                            Comments: None.\n\n                            Approximate the extent to which applicable information systems apply common\n                            security configurations established by NIST.\n\n                            Response categories:\n          7.b.              - Rarely- for example, approximately 0-50% of the time                                                - Mostly, for example, approximately 81-95% of the time\n                             - Sometimes- for example, approximately 51-70% of the time\n                             - Frequently- for example, approximately 71-80% of the time\n                             - Mostly- for example, approximately 81-95% of the time\n                             - Almost Always- for example, approximately 96-100% of the time\n                            Comments: As part of the 2007 FISMA Evaluation at the FDIC, KPMG reviewed the FDIC\xe2\x80\x99s Personal Systems GSS, which included Windows XP. KPMG compared the FDIC\xe2\x80\x99s\n                            Windows XP security configuration settings to those established by NIST SP 800-68 and noted that 27 of the 133 identified settings were not in compliance. KPMG noted that the FDIC\n                            historically follows industry best practices established by NIST or the National Security Agency and then tailors the settings for compatibility with its environment. Based on this\n                            observation and the fact that this is the first year that configuration settings are being directly compared to those established by NIST, our response is Mostly, for example,\n                            approximately 81-95% of the time.\n\n\n\n                                                                                                                                                                                                         Page 56\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007                                                                                                                      Appendix IV\n\n\n\n                                                                   Section C- Inspector General: Questions 8, 9, 10 and 11\nAgency Name: Federal Deposit Insurance Corporation (FDIC)                                                                                                       Submission Date: 9/26/07\n                                                                                         Question 8: Incident Reporting\nIndicate whether or not the agency follows documented policies and procedures for reporting incidents internally, to US-CERT, and to law enforcement. If appropriate or necessary, include comments in\nthe area provided below.\n\n                           The agency follows documented policies and procedures for identifying and reporting\n          8.a.                                                                                                                                                       Yes\n                           incidents internally. Yes or No.\n\n                           The agency follows documented policies and procedures for external reporting to US-\n          8.b.                                                                                                                                                       Yes\n                           CERT. Yes or No. (http://www.us-cert.gov)\n\n          8.c.             The agency follows defined procedures for reporting to law enforcement Yes or No.                                                         Yes\n\n                           Comments: As part of the 2007 FISMA Evaluation, KPMG selected a non-statistical sample of 20 incidents and verified that CSIRT followed their documented policies and procedures\n                           when handling the incidents.\n                                                                                   Question 9: Security Awareness Training\n\n                           Has the agency ensured security awareness training of all employees, including\n                           contractors and those employees with significant IT security responsibilities?\n\n                           Response Choices include:\n                           - Rarely, or, approximately 0-50% of employees have sufficient training\n           9                                                                                                                  - Almost Always, or approximately 96-100% of employees have sufficient training\n                           - Sometimes, or approximately 51-70% of employees have sufficient training\n                           - Frequently, or approximately 71-80% of employees have sufficient training\n                           - Mostly, or approximately 81-95% of employees have sufficient training\n                           - Almost Always, or approximately 96-100% of employees have sufficient training\n\n\n                                                                                     Question 10: Peer-to-Peer File Sharing\n\n\n                           Does the agency explain policies regarding peer-to-peer file sharing in IT security awareness\n           10                                                                                                                                                        Yes\n                           training, ethics training, or any other agency-wide training? Yes or No.\n\n\n                                                                               Question 11: E-Authentication Risk Assessment\n\n\n           11              The agency has completed system e-authentication risk assessments. Yes or No.                                                             Yes\n\n\n\n\n                                                                                                                                                                                                        Page 57\n\x0cKPMG\xe2\x80\x99s Independent Evaluation of FDIC Information Security Program \xe2\x80\x93 2007                    Appendix V\n\n\nAPPENDIX V \xe2\x80\x93 GLOSSARY OF TERMS\n       Term                                                     Definition\nAccess Control        The ability to ensure that only authorized users can access system resources in authorized\n                      ways.\nAdequate Security     Security commensurate with the risk and magnitude of the harm resulting from the loss,\n                      misuse, or unauthorized access to, or modification of, information.\nAudit Trail           A series of records of computer-related events about an operating system, an application, or\n                      user activities. An information system may have several audit trails, each devoted to a\n                      particular type of activity. The terms audit trail and audit log are used synonymously in this\n                      report.\nAuditable Event       An event is any action that happens on a computer system. Examples include logging into a\n                      system, executing a program, and opening a file.\nBiometrics            One of various technologies that utilize behavioral or physiological characteristics to\n                      determine or verify identity. For example, a fingerprint scan is a commonly used biometric.\nEncryption            In cryptography, it is the mean and method for rendering information unintelligible.\nFirmware              A computer program that is embedded in a hardware device. It can also be provided on\n                      flash\n                      read-only memory or as a binary image file that can be uploaded onto existing hardware by\n                      a user.\nGeneral Support       An interconnected set of information resources under the same direct management control\nSystem (GSS)          that shares common functionality. It normally includes hardware, software, information,\n                      data, applications, communications, and people.\nHotfixes              A single, cumulative package that includes one or more files that are used to address a\n                      problem in a product. Hotfixes address a specific customer situation and may not be\n                      distributed outside the customer organization.\nIntrusion Detection   Software that automates the process of monitoring the events occurring in a computer\nSystem (IDS)          system or network and analyzing them for signs of possible incidents.\nLeast Privilege       Refers to the practice of restricting a user\xe2\x80\x99s access to only those resources needed to perform\n                      official duties.\nLog                   A record of the events occurring within an organization\xe2\x80\x99s systems and networks. Logs are\n                      composed of entries that contain information related to a specific event that occurred within\n                      a system or network.\nMajor Applications    An application that requires special attention to security due to the risk and magnitude of\n                      harm resulting from the loss, misuse, unauthorized access to, or modification of, the\n                      information in the application.\nNational Institute    A non-regulatory federal agency within the Department of Commerce\xe2\x80\x99s Technology\nof Standards and      Administration. As part of its responsibilities, NIST develops and publishes technical,\nTechnology (NIST)     physical, administrative, and management standards and guidelines for the cost-effective\n                      security and privacy of sensitive, but unclassified, information in federal computer systems.\nRational Unified      An iterative software development process created by the Rational Software Corporation,\nProcess (RUP\xc2\xae)        now a division of IBM. The RUP is not a single concrete prescriptive process, but rather an\n                      adaptable process framework that the FDIC has customized for its systems development life\n                      cycle.\nSource Code           A set of programming language instructions that must be translated into machine\n                      instructions before the program can run.\nSecurity Test &       An examination and analysis of the security safeguards of a system as they have been\nEvaluation (ST&E)     applied in an operational environment to determine the security posture of the system\n\n\n\n\n                                                                                                             Page 58\n\x0c'